userdbctl

Manage system user and group database

TLDR

List all known user records

$ userdbctl user

Show details of a specific user

$ userdbctl user [username]

List all known groups

$ userdbctl group

Show details of a specific group

$ userdbctl group [groupname]

List all services currently providing user/group definitions to the system

$ userdbctl services

userdbctl [OPTION...] COMMAND [ARG...]

Commands:
userdbctl list
userdbctl show <user>
userdbctl add <user> [attribute=value...]
userdbctl del <user>
userdbctl modify <user> [attribute=value...]
userdbctl passwd <user>

PARAMETERS

-h, --help
    Displays a help message and exits.

-p, --plain-password
    When used with 'add' or 'modify' commands, treats the 'password' attribute value as plain text to be hashed by userdbctl before storage. Without this option, the password value is expected to be already hashed.

-S, --stdin-password
    Used with the 'passwd' command to read the new password from standard input (stdin) instead of prompting interactively. This is useful for scripting.

-v, --verbose
    Enables verbose output, providing more detailed information about the operations being performed.

-s <path>, --socket <path>
    Specifies the path to the SSSD userdb daemon's Unix socket. The default path is typically /var/lib/sssd/pipes/userdb.

list
    Lists all users currently present in the SSSD userdb.

show <user>
    Displays detailed information for the specified user, including their UID, GID, GECOS, home directory, shell, and other attributes.

add <user>
    Adds a new user with the given username to the SSSD userdb. Requires specifying user attributes like UID, GID, etc.

del <user>
    Deletes the specified user from the SSSD userdb.

modify <user>
    Modifies the attributes of an existing user in the SSSD userdb. Accepts the same attribute=value pairs as the 'add' command.

passwd <user>
    Changes the password for the specified user. If --stdin-password is not used, it will prompt for the new password interactively.

DESCRIPTION

userdbctl is a command-line utility used to manage users within SSSD's local user database, known as userdb. This database is primarily utilized by the nss-userdb SSSD module to provide local user and group information to the system's Name Service Switch (NSS). The command allows administrators to perform various operations, including adding new users, deleting existing ones, modifying user attributes, listing all configured users, displaying details for a specific user, and setting or changing user passwords. It communicates directly with the sssd-userdb daemon via a Unix socket, enabling robust local account management independent of external identity providers.

CAVEATS

userdbctl requires the sssd-userdb daemon to be running and properly configured in sssd.conf to manage users. The command directly manipulates SSSD's internal database, so direct editing of SSSD's database files is not recommended. When setting passwords, be cautious about providing plaintext passwords directly on the command line, as they might be visible in process listings; prefer using --stdin-password or providing already hashed passwords.

USER ATTRIBUTES FOR ADD/MODIFY COMMANDS

When using the add or modify commands, specific user attributes can be provided as attribute=value pairs:
uid=<integer>: The user's numeric User ID.
gid=<integer>: The user's primary numeric Group ID.
gecos="<string>": The GECOS field (full name or comment). Must be quoted if it contains spaces.
home="<path>": The user's home directory path. Must be quoted if it contains spaces.
shell="<path>": The user's default login shell path. Must be quoted if it contains spaces.
password="<hash_or_plain_text>": The user's password. If --plain-password is used, provide it as cleartext; otherwise, provide a pre-hashed password string (e.g., in crypt(3) format).

FILES

/var/lib/sssd/pipes/userdb: This is the default path to the Unix socket used by userdbctl to communicate with the sssd-userdb daemon.

HISTORY

userdbctl is part of the SSSD (System Security Services Daemon) project, specifically designed to support the nss-userdb module. The nss-userdb module was introduced to allow SSSD to provide a simple, local user and group database, separate from traditional /etc/passwd and /etc/group files, primarily for cases where a full identity management solution is not needed but local SSSD-managed accounts are desired. userdbctl was developed as the dedicated management interface for this local database.