pdbedit Command in Linux
The pdbedit command in Linux manages the SAM database or database of Samba users. It is a part of the samba suite. It can be used in five primary ways: creating a user account, deleting a user account, updating user details, displaying user accounts, and importing user accounts.
Table of Contents
Here is a comprehensive guide to the options available with the pdbedit command −
Syntax of pdbedit Command
The syntax of the pdbedit command in Linux is as follows −
pdbedit [options]
The [options] field in the above command is used to specify various options to change the command's behavior.
Options of pdbedit Command
The options of the pdbedit command in Linux are listed below −
| Flag/Option | Description |
|---|---|
| -L, --list | List all users in the Samba database, displaying basic details. |
| -v, --verbose | Provide detailed output, including additional user information. |
| -w, --smbpasswd-style | Display output in smbpasswd format, useful for compatibility. |
| -u USER, --user=USER | Specify the username for operations such as creating, modifying, or deleting a user. |
| -N STRING, --account-desc=STRING | Set a brief description for the user account. |
| -f STRING, --fullname=STRING | Assign the full name of the user, often displayed in administrative tools. |
| -h STRING, --homedir=STRING | Define the home directory path for the user. |
| -D STRING, --drive=STRING | Assign a network home drive letter to the user. |
| -S STRING, --script=STRING | Specify a logon script that runs when the user logs in. |
| -p STRING, --profile=STRING | Set the profile path where user-specific settings are stored. |
| -I STRING, --domain=STRING | Assign the user to a specific domain for authentication. |
| -U STRING, --user SID=STRING | Set the user's Security Identifier (SID) or Relative Identifier (RID). |
| -M STRING, --machine SID=STRING | Assign a machine SID or RID, used for system accounts. |
| -a, --create | Create a new Samba user account, prompting for a password. |
| -r, --modify | Modify an existing user, updating fields like name, home directory, or profile path. |
| -m, --machine | Indicate that the account being managed is a machine account. |
| -x, --delete | Remove a user account from the Samba database. |
| -b STRING, --backend=STRING | Use a different passdb backend instead of the default. |
| -i STRING, --import=STRING | Import user accounts from a specified backend. |
| -e STRING, --export=STRING | Export user accounts to a specified backend. |
| -g, --group | Apply import/export operations to user groups instead of individual accounts. |
| -y, --policies | Migrate account policies between different authentication backends. |
| --policies-reset | Restore default account policies, resetting custom configurations. |
| -P STRING, --account-policy=STRING | Set an account policy such as maximum password age or login restrictions. |
| -C LONG, --value=LONG | Assign a numerical value to a specified account policy. |
| -c STRING, --account-control=STRING | Define specific account control flags, such as password expiration requirements. |
| --force-initialized-passwords | Reset and initialize corrupted password strings in a passdb backend. |
| -z, --bad-password-count-reset | Reset the count of failed login attempts for a user. |
| -Z, --logon-hours-reset | Reset the allowed logon hours for a user to the default. |
| --time-format=STRING | Set the format for displaying time-based parameters. |
| -t, --password-from-stdin | Read the user's password from standard input instead of prompting interactively. |
| -K STRING, --kickoff-time=STRING | Set the account expiration or forced logoff time for the user. |
| --set-nt-hash=STRING | Manually set the user's password using an NT hash value. |
| -?, --help | Display a detailed help message with all available options. |
| --usage | Show a brief summary of command usage. |
| -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL | Define the verbosity level for debugging output. |
| --debug-stdout | Redirect debug output to standard output instead of log files. |
| -s CONFIGFILE, --configfile=CONFIGFILE | Use an alternative Samba configuration file instead of the default. |
| --option=name=value | Set a specific smb.conf configuration option directly from the command line. |
| -l LOGFILEBASE, --log-basename=LOGFILEBASE | Specify a custom base name for log/debug files generated by Samba. |
| ---report | Enable talloc reporting on exit. |
| ---report-full | Enable full talloc reporting on exit. |
| -V, --version | Display the command version. |
Examples of pdbedit Command in Linux
This section demonstrates how to use the pdbedit command in Linux with examples −
- Adding a User
- Listing all Users
- Adding a User with a Custom Full Name and Home Directory
- Modifying the Existing User
- Deleting a User
- Resetting the Bad Password Count
- Resetting the Logon Hours
- Setting Account Expiry Time
- Setting Account Control Flag
- Displaying Usage Help
Adding a User
To add a user to the database, use the -a or --create option with the user's name.
sudo pdbedit -a -u sam
The above will prompt for the password, type and retype the password for confirmation, and the user will be added, as shown in the above output image.
Note that Samba relies on system users. Before adding a Samba user, ensure sam exists in the system. Moreover, the pdbedit command requires sudo privileges.
Listing all Users
To list all the users, use the -L or --list option −
sudo pdbedit -L
To get the detailed output, use the -v or --verbose option −
sudo pdbedit -v -L
Adding a User with a Custom Full Name and Home Directory
To add a user with a custom name and home directory, use the pdbedit command in the following way −
sudo pdbedit -a -u sam -f "Samuel" -h "/home/user/smb_dir"
In the above command, the -f/--fullname is used to specify the full name, and -h/--homedir is used to specify the home directory. By default, the user's home directory is set by the smb.conf file configuration.
Modifying the Existing User
The details of the existing user can be modified using the -r or --modify option −
sudo pdbedit -r -u sam -f "Samson" -h "/home/user/new_smb_dir"
Use the username of an existing user.
Deleting a User
To delete a user, use the -x or --delete option with the pdbedit command −
sudo pdbedit -x -u alex
6. Resetting the Bad Password Count
To reset the bad password count, use the -z or --bad-password-count-reset option −
sudo pdbedit -z -u sam
Resetting the Logon Hours
To reset the logon hours, use the -Z or --logon-hours-reset option with the pdbedit command −
sudo pdbedit -Z -u sam
Setting Account Expiry Time
To set the expiry time for an account, use the -K or --kickoff option with the Unix timestamp −
sudo pdbedit -K 1740700800 -u sam
To get the Unix time stamp of a specific date, use the following command −
date -d "2025-02-28 00:00:00 UTC" +%s
This means the user will be disabled at 1740700800.
To remove the kickoff time, set the kickoff time to zero −
sudo pdbedit -K 0 -u sam
Setting Account Control Flag
To set the account control flag, use the -c or --account-control option. For example, to disable the user, use the following command −
sudo pdbedit -c "[D]" -u sam
To enable the user again, use the command given below −
sudo pdbedit -c "[]" -u sam
Other control flags are listed below −
| Flag | Description |
|---|---|
| N | No password required |
| D | Account disabled |
| H | Home directory required |
| T | Temporary duplicate of another account |
| U | Regular user account |
| M | MNS logon user account |
| W | Workstation Trust Account |
| S | Server Trust Account |
| L | Automatic Locking |
| X | Password does not expire |
| i | Domain Trust Account |
Displaying Usage Help
To display the usage help of the pdbedit command, use the -? or --help option −
pdbedit -?
Conclusion
The pdbedit command in Linux is a handy tool for managing Samba user accounts within the SAM database. It provides options to create, modify, delete, and list user accounts, as well as import and export user data.
With various flags, the pdbedit command allows customization of user details such as home directories, logon scripts, and account policies. Using pdbedit requires administrative privileges and system user management.