[Samba] Winbind and AD: Local users with identical AD usernames
rpenny at samba.org
Tue Jun 20 12:01:44 UTC 2023
On 20/06/2023 12:33, Sabolowitsch, Stefan via samba wrote:
> Hi there,
> i hope someone can help me with this question.
> we successfully got Samba 4.11 up and running with Winbind on our SLES 15.2.
> the Linux server is a member of the Windows domain.
> Due to a user with identical name in AD as well as locally on the Linux server, we have the following problem.
> How can we make sure, that the "local user" (with the same name in ad) is accessed only via ssh and the "ad user" only via smb ?
> Thanks for any help
I am sorry to be the bearer of bad news, but you cannot do this.
If you could, it could lead to chaos, your AD user connects to a share
and stores something important that the local user isn't supposed to be
able to access. The local user connects via SSH (which means they aren't
really a local user) and they may be able to access things they shouldn't.
Why would you want to do this anyway ?
One of the ideas behind a Samba Unix domain member, is that you make AD
users into local Unix users, so you only need one user and that user is
stored in AD.
I suppose that I should point out that Samba 4.11.x is EOL from the
Samba point of view.
More information about the samba