[Samba] Problem looking up domain users

Lux smb4 at iotti.biz
Wed Apr 16 13:27:37 UTC 2025 

Il 2025-04-16 15:02 Rowland Penny via samba ha scritto:
> On Wed, 16 Apr 2025 14:36:10 +0200
> Lux via samba <samba at lists.samba.org> wrote:
> 
>> Il 2025-04-16 12:30 Rowland Penny via samba ha scritto:
>> > On Wed, 16 Apr 2025 11:38:34 +0200
>> > Lux via samba <samba at lists.samba.org> wrote:
>> >
>> >> Hi all.
>> >>
>> >> I have a problem with a Samba DC for a small domain. It is a Centos
>> >> Stream 8 with samba-4.18.5 compiled by me with AD support.
>> >
>> >
>> > First it is your AD domain and you can do what you like, but:
>> >
>> > Why are you using a testing Distro ? (Centos stream is upstream from
>> > RHEL and between Fedora and RHEL)
>> 
>> Just because it was originally a CentOS 8. I ported it to Strem for
>> the known CentOS reasons. Until now it worked lika e charm, despite
>> being now dimmed as a "testing distro". I may switch to something
>> else but I'd like to hear if there is some advice about the problem I
>> have now.
> 
> I am sorry, but 'Centos' != 'Centos stream', they are totally
> different, Centos was RHEL rebuilt without the brand names etc. Centos
> Stream is upstream from RHEL, between Fedora and RHEL, things get
> tested on Centos stream and may or may not appear in RHEL.

And then let's say I'm making tests, to see if this setup may work on 
CentOS Strem too:)
Till Yesterday (or maybe a month ago) things dod work cleanly. Then 
something happened. I'd like to ask if we can focus on my real problem. 
If the answer is "go away from Stream", it'a a possible answer. I just 
would like to hear if there is any advice more closely focused on my 
problem, which is, an error when Windows client tries to anumerate 
domain users.

>> 
>> > Why, if you are compiling Samba yourself, did you not use the latest
>> > version ?
>> 
>> Because it was the latest version when I compiled it:)
> 
> That is a fair comment, but, unless I missed it, you didn't say that .

I did not say that. It seems redundant to me. I said I have a system, 
which used to work good. Now it has a problem, and I'd like to 
investigate taht particular problem.

>> It dod work,
>> till now when suddenly it exhibits the problem (maybe the problem did
>> start weeks ago, I don't have to add users to groups so often).
>> 
>> > Why did you decide to use the experimental MIT kerberos instead of
>> > the built in Heimdal ?
>> 
>> Just because Mit Krb is in the distro.
> 
> Well yes, but your AD DC is still classed as experimental.

Ok, it's experimental. But it did work. I'm not looking for a system 
with "not experimetal" written on it. I would like a system which "just 
works". And my system, despite being experimtal as you say, did work 
till some days ago. Then something happened. I just have the doubt that 
there is something simple so adjust, to return having and "experimental 
system, which just works".

>> 
>> > Finally 'root' is not and never has been an AD user.
>> 
>> At least in my AD environment, root is a user like another. The same
>> applies to Administrator. The same problem shows with my own user,
>> named lux, and with every other user that I tried to use, as I wrote.
> 
> If you have 'root' as a user in AD, I suggest you delete that user.
> 'root' is the superuser on Unix and any 'root' user in AD will just be
> another ordinary user. The same goes the other way 'Administrator' on
> Unix is just another ordinary user, but 'Administrator' on a Samba AD 
> DC
> is mapped to 'root'. I would recommend only using the Unix user 'root'
> on Unix and the Windows user 'Administrator' on Windows.

Ok now I rebooted the server and tried with a user named "lux" and some 
other users, both ordinary and admins. The results are exactly the same.
Please forgive me if I do not delete my root Samba user, it's just 
another one in the Domain Admins group.

>> 
>> If there is some advice about my original problem, you're welcome. On
>> the orher hand, I may switch distro when I have time, is I'm unable
>> to solve the problem.
>> 
>> Luigi
> 
> I am not saying you should switch Distro (though I personally wouldn't
> use Centos Stream), it is just that if you want to run Samba as an AD
> DC, you should do it in a way that everybody else does, which usually
> means ignoring how redhat tells you to do it.
> 
> By the way, you do not need to build Samba packages for redhat, you can
> find DC compatible packages here:
> 
> https://samba.tranquil.it/doc/en/samba_config_server/redhat/server_install_samba_redhat.html

I like to build packages. I don't understand wht I should not. Mine, in 
this case, are just Fedora packages rebuilt on a RH/CentOS/Rocky/Alma 
system.

Please again, let's focus on my problem. Why a particular function does 
not work today. Then, if nothing else works, I'll think abot changing 
distro, packages, version etc.

> 
> Rowland

More information about the samba mailing list