[Samba] Problem looking up domain users

Sun Apr 20 06:06:11 UTC 2025

Il 2025-04-16 18:00 Rowland Penny via samba ha scritto:
> On Wed, 16 Apr 2025 15:27:37 +0200
> Lux via samba <samba at lists.samba.org> wrote:
> 
>> Il 2025-04-16 15:02 Rowland Penny via samba ha scritto:
>> > On Wed, 16 Apr 2025 14:36:10 +0200
>> > Lux via samba <samba at lists.samba.org> wrote:
>> >
>> >> Il 2025-04-16 12:30 Rowland Penny via samba ha scritto:
>> >> > On Wed, 16 Apr 2025 11:38:34 +0200
>> >> > Lux via samba <samba at lists.samba.org> wrote:
>> >> >
>> >> >> Hi all.
>> >> >>
>> >> >> I have a problem with a Samba DC for a small domain. It is a
>> >> >> Centos Stream 8 with samba-4.18.5 compiled by me with AD
>> >> >> support.
>> >> >
>> >> >
>> >> > First it is your AD domain and you can do what you like, but:
>> >> >
>> >> > Why are you using a testing Distro ? (Centos stream is upstream
>> >> > from RHEL and between Fedora and RHEL)
>> >>
>> >> Just because it was originally a CentOS 8. I ported it to Strem for
>> >> the known CentOS reasons. Until now it worked lika e charm, despite
>> >> being now dimmed as a "testing distro". I may switch to something
>> >> else but I'd like to hear if there is some advice about the
>> >> problem I have now.
>> >
>> > I am sorry, but 'Centos' != 'Centos stream', they are totally
>> > different, Centos was RHEL rebuilt without the brand names etc.
>> > Centos Stream is upstream from RHEL, between Fedora and RHEL,
>> > things get tested on Centos stream and may or may not appear in
>> > RHEL.
>> 
>> And then let's say I'm making tests, to see if this setup may work on
>> CentOS Strem too:)
>> Till Yesterday (or maybe a month ago) things dod work cleanly. Then
>> something happened. I'd like to ask if we can focus on my real
>> problem. If the answer is "go away from Stream", it'a a possible
>> answer. I just would like to hear if there is any advice more closely
>> focused on my problem, which is, an error when Windows client tries
>> to anumerate domain users.
> 
> I have checked and nowhere in your initial post does it say that this
> is an existing domain that has 'worked' for some time, so I took it
> (mainly from the use of MIT) that it was something you were testing and
> replied accordingly. I didn't mean to upset you in any way, it wasn't
> my intention, I was just trying to inform you about best practice when
> it comes to Samba AD.

Hallo. No problem. Let me make a silly example. In general, when you ask 
for an opinion on a specific problem or a precise consideration on a 
mailing list, sometimes things go like this: suppose you ask someone on 
the street if they know where there is a bakery nearby. And they start 
giving you a sermon on why you shouldn't eat bread, flour and other 
foods of the sort. Treating you as if you were a child who needs to be 
educated in choosing his foods, and not as a grown man open to 
discussion but who has long developed his own tastes and choices. I was 
only looking for a bakery, not a treatise on why I shouldn't look for 
it. Then, any advice and other considerations are welcome, as long as we 
stay on topic: I was looking for a bakery, not a nutritional consultant 
haha :)

Please forgive me for this digression and return on the topic. I waited 
for the weekend, when I could switch to Alma 8. So the doubts about 
Stream ended. I don't think this will make a big difference for my 
problem, but let's remove any doubts. I updated the system and brought 
samba and krb5 to the latest versions of Fedora, which I recompiled in 
the environment as needed. At the moment I have samba-4.22.1 and 
krb5-server-1.21.1-3.
The problem disappeared, even if the warnings in the krb log about the 
deprecation of some encryption protocols (arcfour mainly) remained. It 
seems it was a compatibility problem that suddenly arose between Windows 
11 and the version of Samba I was using, I suppose due to some update.
I did not have to change any configuration files, in fact, as a test I 
had set the crypto-policy of the system to LEGACY:AD-SUPPORT. But it 
works equally even by setting it back to DEFAULT.

Thank you, regards

Luigi