[Samba] Problem looking up domain users

Rowland Penny rpenny at samba.org
Wed Apr 16 16:00:16 UTC 2025 

On Wed, 16 Apr 2025 15:27:37 +0200
Lux via samba <samba at lists.samba.org> wrote:

> Il 2025-04-16 15:02 Rowland Penny via samba ha scritto:
> > On Wed, 16 Apr 2025 14:36:10 +0200
> > Lux via samba <samba at lists.samba.org> wrote:
> > 
> >> Il 2025-04-16 12:30 Rowland Penny via samba ha scritto:
> >> > On Wed, 16 Apr 2025 11:38:34 +0200
> >> > Lux via samba <samba at lists.samba.org> wrote:
> >> >
> >> >> Hi all.
> >> >>
> >> >> I have a problem with a Samba DC for a small domain. It is a
> >> >> Centos Stream 8 with samba-4.18.5 compiled by me with AD
> >> >> support.
> >> >
> >> >
> >> > First it is your AD domain and you can do what you like, but:
> >> >
> >> > Why are you using a testing Distro ? (Centos stream is upstream
> >> > from RHEL and between Fedora and RHEL)
> >> 
> >> Just because it was originally a CentOS 8. I ported it to Strem for
> >> the known CentOS reasons. Until now it worked lika e charm, despite
> >> being now dimmed as a "testing distro". I may switch to something
> >> else but I'd like to hear if there is some advice about the
> >> problem I have now.
> > 
> > I am sorry, but 'Centos' != 'Centos stream', they are totally
> > different, Centos was RHEL rebuilt without the brand names etc.
> > Centos Stream is upstream from RHEL, between Fedora and RHEL,
> > things get tested on Centos stream and may or may not appear in
> > RHEL.
> 
> And then let's say I'm making tests, to see if this setup may work on 
> CentOS Strem too:)
> Till Yesterday (or maybe a month ago) things dod work cleanly. Then 
> something happened. I'd like to ask if we can focus on my real
> problem. If the answer is "go away from Stream", it'a a possible
> answer. I just would like to hear if there is any advice more closely
> focused on my problem, which is, an error when Windows client tries
> to anumerate domain users.

I have checked and nowhere in your initial post does it say that this
is an existing domain that has 'worked' for some time, so I took it
(mainly from the use of MIT) that it was something you were testing and
replied accordingly. I didn't mean to upset you in any way, it wasn't
my intention, I was just trying to inform you about best practice when
it comes to Samba AD.

Users on Windows are identified by SIDS, mainly the RID from the end of
the SID, Samba maps these to Unix IDs. There are several ways of doing
this, but on a Samba AD DC only two are possible. 'idmap.ldb' where the
users and groups are mapped to xidNumbers (numbers in the '3000000'
range) in idmap.ldb or by using the 'ad' idmap backend and giving
users, groups and computers the relevant rfc2307 attribute. I cannot
see any mention of rfc2307 attributes in your log fragments, so you
are probably not using the 'ad' backend, which leaves you with
idmap.ldb. This idmap backend is an allocating backend, that is the IDs
are allocated on a first come basis, but there are three exceptions to
this:
Domain Users is mapped to the Unix ID for the Unix 'users' group (ID
100)
Domain Guest is mapped to the Unix guest group 'nogroup' (ID 65534)
Administrator is mapped to the Unix user 'root' (ID 0)

Now do you see why you should not have a user in AD called 'root' ?

I have never used Centos Stream, but I have set up AD DCs on Centos
(some time ago) and Rocky Linux 8 and 9 and one thing I had to do was
alter /etc/krb5.conf (if such a thing exists when using MIT):

 [libdefaults]
	default_realm = AD.DOMAIN.IT
	dns_lookup_realm = false
	dns_lookup_kdc = true

	rdns = false
[realms]
	AD.DOMAIN.IT = {
		default_domain = ad.domain.it
	}

[domain_realm]
	PUT_YOUR_DCS_SHORT_HOSTNAME_HERE = AD.DOMAIN.IT

There is probably something at the top of your existing /etc/krb5.conf
about deleting a file, I had to do that.

However, in altering the above to match your setup, I finally noticed
something, now it could just be bad sanitisation but there are lines
like this:

Apr 16 08:41:34 linux.domain.it krb5kdc[54894](info):
kdb_samba_db_sign_auth_data: Found PAC data for TGS-REQ
[root at AD.DOMAIN.IT]

'linux.domain.it' != 'AD.DOMAIN.IT'

If you want to compile Samba, then so be it, I was just trying to be
helpful by pointing out that you can get ready compiled packages.

Rowland

More information about the samba mailing list