Sabolowitsch, Stefan
2023-Jun-20 11:33 UTC
[Samba] Winbind and AD: Local users with identical AD usernames
Hi there, i hope someone can help me with this question. we successfully got Samba 4.11 up and running with Winbind on our SLES 15.2. the Linux server is a member of the Windows domain. Due to a user with identical name in AD as well as locally on the Linux server, we have the following problem. How can we make sure, that the "local user" (with the same name in ad) is accessed only via ssh and the "ad user" only via smb ? Thanks for any help Stefan
Stefan Kania
2023-Jun-20 12:00 UTC
[Samba] Winbind and AD: Local users with identical AD usernames
Hi Stefan, Am 20.06.23 um 13:33 schrieb Sabolowitsch, Stefan via samba:> Hi there, > i hope someone can help me with this question. > > we successfully got Samba 4.11 up and running with Winbind on our SLES 15.2.First thing 4.11 is far far out of service you should not use it in a production environment. Use 4.17 or better 4.18> the Linux server is a member of the Windows domain. > Due to a user with identical name in AD as well as locally on the Linux server, we have the following problem. > > How can we make sure, that the "local user" (with the same name in ad) is accessed only via ssh and the "ad user" only via smb ? >You could maybe manage this via pam. Stefan> Thanks for any help > Stefan >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230620/bd565564/OpenPGP_signature.sig>
Rowland Penny
2023-Jun-20 12:01 UTC
[Samba] Winbind and AD: Local users with identical AD usernames
On 20/06/2023 12:33, Sabolowitsch, Stefan via samba wrote:> Hi there, > i hope someone can help me with this question. > > we successfully got Samba 4.11 up and running with Winbind on our SLES 15.2. > the Linux server is a member of the Windows domain. > Due to a user with identical name in AD as well as locally on the Linux server, we have the following problem. > > How can we make sure, that the "local user" (with the same name in ad) is accessed only via ssh and the "ad user" only via smb ? > > Thanks for any help > Stefan > >I am sorry to be the bearer of bad news, but you cannot do this. If you could, it could lead to chaos, your AD user connects to a share and stores something important that the local user isn't supposed to be able to access. The local user connects via SSH (which means they aren't really a local user) and they may be able to access things they shouldn't. Why would you want to do this anyway ? One of the ideas behind a Samba Unix domain member, is that you make AD users into local Unix users, so you only need one user and that user is stored in AD. I suppose that I should point out that Samba 4.11.x is EOL from the Samba point of view. Rowland