[Samba] Problem looking up domain users

Rowland Penny rpenny at samba.org
Wed Apr 16 13:02:41 UTC 2025 

On Wed, 16 Apr 2025 14:36:10 +0200
Lux via samba <samba at lists.samba.org> wrote:

> Il 2025-04-16 12:30 Rowland Penny via samba ha scritto:
> > On Wed, 16 Apr 2025 11:38:34 +0200
> > Lux via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi all.
> >> 
> >> I have a problem with a Samba DC for a small domain. It is a Centos
> >> Stream 8 with samba-4.18.5 compiled by me with AD support.
> > 
> > 
> > First it is your AD domain and you can do what you like, but:
> > 
> > Why are you using a testing Distro ? (Centos stream is upstream from
> > RHEL and between Fedora and RHEL)
> 
> Just because it was originally a CentOS 8. I ported it to Strem for
> the known CentOS reasons. Until now it worked lika e charm, despite
> being now dimmed as a "testing distro". I may switch to something
> else but I'd like to hear if there is some advice about the problem I
> have now.

I am sorry, but 'Centos' != 'Centos stream', they are totally
different, Centos was RHEL rebuilt without the brand names etc. Centos
Stream is upstream from RHEL, between Fedora and RHEL, things get
tested on Centos stream and may or may not appear in RHEL.

> 
> > Why, if you are compiling Samba yourself, did you not use the latest
> > version ?
> 
> Because it was the latest version when I compiled it:) 

That is a fair comment, but, unless I missed it, you didn't say that .

> It dod work,
> till now when suddenly it exhibits the problem (maybe the problem did
> start weeks ago, I don't have to add users to groups so often).
> 
> > Why did you decide to use the experimental MIT kerberos instead of
> > the built in Heimdal ?
> 
> Just because Mit Krb is in the distro.

Well yes, but your AD DC is still classed as experimental.

> 
> > Finally 'root' is not and never has been an AD user.
> 
> At least in my AD environment, root is a user like another. The same 
> applies to Administrator. The same problem shows with my own user,
> named lux, and with every other user that I tried to use, as I wrote.

If you have 'root' as a user in AD, I suggest you delete that user.
'root' is the superuser on Unix and any 'root' user in AD will just be
another ordinary user. The same goes the other way 'Administrator' on
Unix is just another ordinary user, but 'Administrator' on a Samba AD DC
is mapped to 'root'. I would recommend only using the Unix user 'root'
on Unix and the Windows user 'Administrator' on Windows.
 
> 
> If there is some advice about my original problem, you're welcome. On 
> the orher hand, I may switch distro when I have time, is I'm unable
> to solve the problem.
> 
> Luigi

I am not saying you should switch Distro (though I personally wouldn't
use Centos Stream), it is just that if you want to run Samba as an AD
DC, you should do it in a way that everybody else does, which usually
means ignoring how redhat tells you to do it. 

By the way, you do not need to build Samba packages for redhat, you can
find DC compatible packages here:

https://samba.tranquil.it/doc/en/samba_config_server/redhat/server_install_samba_redhat.html

Rowland

More information about the samba mailing list