[Samba] Winbind and AD: Local users with identical AD usernames

Rowland Penny rpenny at samba.org
Tue Jun 20 12:01:44 UTC 2023

On 20/06/2023 12:33, Sabolowitsch, Stefan via samba wrote:
> Hi there,
> i hope someone can help me with this question.
> we successfully got Samba 4.11 up and running with Winbind on our SLES 15.2.
> the Linux server is a member of the Windows domain.
> Due to a user with identical name in AD as well as locally on the Linux server, we have the following problem.
> How can we make sure, that the "local user" (with the same name in ad) is accessed only via ssh and the "ad user" only via smb ?
> Thanks for any help
> Stefan

I am sorry to be the bearer of bad news, but you cannot do this.
If you could, it could lead to chaos, your AD user connects to a share 
and stores something important that the local user isn't supposed to be 
able to access. The local user connects via SSH (which means they aren't 
really a local user) and they may be able to access things they shouldn't.

Why would you want to do this anyway ?
One of the ideas behind a Samba Unix domain member, is that you make AD 
users into local Unix users, so you only need one user and that user is 
stored in AD.

I suppose that I should point out that Samba 4.11.x is EOL from the 
Samba point of view.


More information about the samba mailing list