10.3 Account Management Tools

Samba provides two tools for management of user and machine accounts. These tools are called smbpasswd and pdbedit . A third tool is under development but is not expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK GUI tool that looks much like the MS Windows NT4 Domain User Manager. Hopefully this will be announced in time for the Samba-3.0.1 release.

10.3.1 The smbpasswd Command

The smbpasswd utility is similar to the passwd or yppasswd programs. It maintains the two 32 byte password fields in the passdb backend.

smbpasswd works in a client-server mode where it contacts the local smbd to change the user's password on its behalf . This has enormous benefits.

smbpasswd has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT Primary Domain Controller if changing an NT Domain user's password).

smbpasswd can be used to:

• add user or machine accounts.

• delete user or machine accounts.

• enable user or machine accounts.

• disable user or machine accounts.

• set to NULL user passwords.

• manage interdomain trust accounts .

To run smbpasswd as a normal user just type:

 $ smbpasswd Old SMB password: secret 

For secret , type old value here or press return if there is no old password.

 New SMB Password: new secret Repeat New SMB Password: new secret 

If the old value does not match the current value stored for that user, or the two new values do not match each other, then the password will not be changed.

When invoked by an ordinary user, the command will only allow the user to change his or her own SMB password.

When run by root, smbpasswd may take an optional argument specifying the user name whose SMB password you wish to change. When run as root, smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords for users who have forgotten their passwords.

smbpasswd is designed to work in the way familiar to UNIX users who use the passwd or yppasswd commands. While designed for administrative use, this tool provides essential User Level password change capabilities.

For more details on using smbpasswd , refer to the man page (the definitive reference).

10.3.2 The pdbedit Command

pdbedit is a tool that can be used only by root. It is used to manage the passdb backend. pdbedit can be used to:

• add, remove or modify user accounts.

• list user accounts.

• migrate user accounts.

The pdbedit tool is the only one that can manage the account security and policy settings. It is capable of all operations that smbpasswd can do as well as a super set of them.

One particularly important purpose of the pdbedit is to allow the migration of account information from one passdb backend to another. See the XML password backend section of this chapter.

The following is an example of the user account information that is stored in a tdbsam password backend. This listing was produced by running:

 $ pdbedit -Lv met UNIX username: met NT username: Account Flags: [UX ] User SID: S-1-5-21-1449123459-1407424037-3116680435-2004 Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201 Full Name: Melissa E Terpstra Home Directory: \\frodo\met\Win9Profile HomeDir Drive: H: Logon Script: scripts\logon.bat Profile Path: \\frodo\Profiles\met Domain: MIDEARTH Account desc: Workstations: melbelle Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT Password last set: Sat, 14 Dec 2002 14:37:03 GMT Password can change: Sat, 14 Dec 2002 14:37:03 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT 

The pdbedit tool allows migration of authentication (account) databases from one backend to another. For example: To migrate accounts from an old smbpasswd database to a tdbsam backend:

1. Set the passdb backend = tdbsam, smbpasswd.

2. Execute:

     root# pdbedit -i smbpassed -e tdbsam  

3. Now remove the smbpasswd from the passdb backend configuration in smb.conf .