samba - Sep 2025 - Multiple concurrent user databases?

Hi,

I joined a Samba server to an AD domain that was previously used with 
local user database (passdb backend = tdbsam).
To my surprise I saw that "old" local users can still login alongside 
the new domain users. My firm conviction was that this behaviour is 
impossible, that only one user database could be used at a time. 
Apparently I never tested this. Is this standard behaviour? Can I 
explicitly disable the local user database?

thanks
Matthias

On Tue, 2 Sep 2025 10:12:27 +0200
Matthias Leopold via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I joined a Samba server to an AD domain that was previously used with 
> local user database (passdb backend = tdbsam).
> To my surprise I saw that "old" local users can still login
alongside
> the new domain users. My firm conviction was that this behaviour is 
> impossible, that only one user database could be used at a time. 
> Apparently I never tested this. Is this standard behaviour? Can I 
> explicitly disable the local user database?
> 
> thanks
> Matthias
> 
It depends on what you mean by local users. If you were running Samba
as a standalone server, then the 'Samba' users required a
'local' Unix
user in /etc/passwd and they will still exist after you joined the
client to the domain and they will still be able to login locally. Any
username that is in /etc/passwd will normally take local precedence
over the same username in AD.

The fix ? Remove any users in /etc/passwd that should only be in AD.

Rowland