On Tue, 2 Sep 2025 10:12:27 +0200 Matthias Leopold via samba <samba at lists.samba.org> wrote:> Hi, > > I joined a Samba server to an AD domain that was previously used with > local user database (passdb backend = tdbsam). > To my surprise I saw that "old" local users can still login alongside > the new domain users. My firm conviction was that this behaviour is > impossible, that only one user database could be used at a time. > Apparently I never tested this. Is this standard behaviour? Can I > explicitly disable the local user database? > > thanks > Matthias >It depends on what you mean by local users. If you were running Samba as a standalone server, then the 'Samba' users required a 'local' Unix user in /etc/passwd and they will still exist after you joined the client to the domain and they will still be able to login locally. Any username that is in /etc/passwd will normally take local precedence over the same username in AD. The fix ? Remove any users in /etc/passwd that should only be in AD. Rowland
Matthias Leopold
2025-Sep-02 09:57 UTC
[Samba] [EXTERN] Re: Multiple concurrent user databases?
Am 02.09.25 um 10:50 schrieb Rowland Penny via samba:> On Tue, 2 Sep 2025 10:12:27 +0200 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I joined a Samba server to an AD domain that was previously used with >> local user database (passdb backend = tdbsam). >> To my surprise I saw that "old" local users can still login alongside >> the new domain users. My firm conviction was that this behaviour is >> impossible, that only one user database could be used at a time. >> Apparently I never tested this. Is this standard behaviour? Can I >> explicitly disable the local user database? >> >> thanks >> Matthias >> > > It depends on what you mean by local users. If you were running Samba > as a standalone server, then the 'Samba' users required a 'local' Unix > user in /etc/passwd and they will still exist after you joined the > client to the domain and they will still be able to login locally. Any > username that is in /etc/passwd will normally take local precedence > over the same username in AD. > > The fix ? Remove any users in /etc/passwd that should only be in AD. > > Rowland > >Thank you. In a similar discussion we had in 2018 I asked about "concurrent" use of tdbsam and ldapsam which is not possible. With this in mind I was surprised by what I found now with AD members. https://lists.samba.org/archive/samba/2018-August/217726.html Matthias