I want to keep Samba the AD DC Version on my system, but CentOS removes it.
I have seen commands like: sudo dnf update --exclude=httpd
Is that just for a user initiated update? I also see in the /etc/ directory
ls -l /etc/dnf/protected.d/
total 36
-rw-r–r–. 1 root root 14 Sep 7 17:00 grub2-efi-x64.conf
-rw-r–r–. 1 root root 9 Sep 7 17:00 grub2-pc.conf
-rw-r–r–. 1 root root 20 Sep 7 17:00 grub2-tools-minimal.conf
-rw-r–r–. 1 root root 24 Aug 20 17:00 selinux-policy-targeted.conf
-rw-r–r–. 1 root root 6 Apr 7 2025 setup.conf
-rw-r–r–. 1 root root 38 Jul 1 17:00 shim.conf
-rw-r–r–. 1 root root 5 Jul 7 17:00 sudo.conf
-rw-r–r–. 1 root root 21 Aug 14 17:00 systemd.conf
-rw-r–r–. 1 root root 4 Apr 24 2024 yum.conf
If I wanted to keep samba
samba -V
Version 4.22.4-tranquilit-1
I need more information to understand what is getting removed or what is happening.
Is the package getting removed or replaced with something else. If it is being replaced, what is the package replacing it
What is the exact package which is getting removed and is the package a CentOS Stream package or a third party one?
Those can help with what type of ‘lock’ can best fix the problem you are running into. Using the protected will stop a manual removal, but it may not stop something where XYZ package is saying it is a newer or better package than what you have installed. Another thing to look for is exclude= in man dnf.conf
It so happens I have more information now because after I went through the whole exercise of creating a list of of module to keep related to samba from the web site shown, I could not get a version of samba from the normal CentOS dnf packages to support AD DC operability,
I determined the list of modules I needed that related samba modules that came from the install offered from samba.tranquil.it. I used “yum list installed | grep samba” then I generated a list of modules to use: yum versionlock add ‘samba*’. Then I rebooted no overwrite of samba but I received these messages when trying to update. As you can see the sssd packages from the CentOS 10 build won’t install because of conflicts with the install of Samba that supports AD DC from the for-mentioned web site.
sudo yum update
Last metadata expiration check: 1:00:48 ago on Sun 12 Oct 2025 11:58:28 AM PDT.
Error:
Problem 1: package libldb-4.23.0-101.el10.x86_64 from baseos requires libreplace-private-samba.so(SAMBA_4.23.0_PRIVATE_SAMBA)(64bit), but none of the providers can be installed
package libldb-4.23.0-101.el10.x86_64 from baseos requires samba-common-libs = 4.23.0-101.el10, but none of the providers can be installed
cannot install the best update candidate for package libldb-4.22.4-1.el10.x86_64
package samba-common-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
Problem 2: package sssd-ipa-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package sssd-ipa-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
Problem 3: package sssd-ad-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package sssd-ad-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
Problem 4: package sssd-2.11.1-3.el10.x86_64 from baseos requires sssd-ad = 2.11.1-3.el10, but none of the providers can be installed
package sssd-ad-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package sssd-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
Problem 5: problem with installed package sssd-ipa-2.11.1-2.el10.x86_64
package sssd-ipa-2.11.1-2.el10.x86_64 from @System requires libipa_hbac(x86-64) = 2.11.1-2.el10, but none of the providers can be installed
package sssd-ipa-2.11.1-2.el10.x86_64 from baseos requires libipa_hbac(x86-64) = 2.11.1-2.el10, but none of the providers can be installed
cannot install both libipa_hbac-2.11.1-3.el10.x86_64 from baseos and libipa_hbac-2.11.1-2.el10.x86_64 from @System
cannot install both libipa_hbac-2.11.1-3.el10.x86_64 from baseos and libipa_hbac-2.11.1-2.el10.x86_64 from baseos
package sssd-ipa-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package libipa_hbac-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
Problem 6: problem with installed package sssd-ad-2.11.1-2.el10.x86_64
package sssd-ad-2.11.1-2.el10.x86_64 from @System requires sssd-common = 2.11.1-2.el10, but none of the providers can be installed
package sssd-ad-2.11.1-2.el10.x86_64 from baseos requires sssd-common = 2.11.1-2.el10, but none of the providers can be installed
package libsss_certmap-2.11.1-3.el10.x86_64 from baseos conflicts with sssd-common < 2.11.1-3.el10 provided by sssd-common-2.11.1-2.el10.x86_64 from @System
package libsss_certmap-2.11.1-3.el10.x86_64 from baseos conflicts with sssd-common < 2.11.1-3.el10 provided by sssd-common-2.11.1-2.el10.x86_64 from baseos
package sssd-ad-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package libsss_certmap-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
Problem 7: problem with installed package sssd-2.11.1-2.el10.x86_64
package sssd-2.11.1-2.el10.x86_64 from @System requires sssd-common = 2.11.1-2.el10, but none of the providers can be installed
package sssd-2.11.1-2.el10.x86_64 from baseos requires sssd-common = 2.11.1-2.el10, but none of the providers can be installed
package sssd-2.11.1-3.el10.x86_64 from baseos requires sssd-ipa = 2.11.1-3.el10, but none of the providers can be installed
package libsss_sudo-2.11.1-3.el10.x86_64 from baseos conflicts with sssd-common < 2.11.1-3.el10 provided by sssd-common-2.11.1-2.el10.x86_64 from @System
package libsss_sudo-2.11.1-3.el10.x86_64 from baseos conflicts with sssd-common < 2.11.1-3.el10 provided by sssd-common-2.11.1-2.el10.x86_64 from baseos
package sssd-ipa-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package libsss_sudo-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
(try to add ‘–allowerasing’ to command line to replace conflicting packages or ‘–skip-broken’ to skip uninstallable packages or ‘–nobest’ to use not only best candidate packages)
root@netserver03:~# sudo yum update sssd
Last metadata expiration check: 1:03:22 ago on Sun 12 Oct 2025 11:58:28 AM PDT.
Error:
Problem: package sssd-2.11.1-3.el10.x86_64 from baseos requires sssd-ad = 2.11.1-3.el10, but none of the providers can be installed
package sssd-ad-2.11.1-3.el10.x86_64 from baseos requires samba-client-libs >= 4.23.0, but none of the providers can be installed
cannot install the best update candidate for package sssd-2.11.1-2.el10.x86_64
package samba-client-libs-4.23.0-101.el10.x86_64 from baseos is filtered out by exclude filtering
(try to add ‘–skip-broken’ to skip uninstallable packages or ‘–nobest’ to use not only best candidate packages)
I might be missing something here, but to me it appears the culprit is sssd. As you do not need and, in my opinion, shouldn’t run sssd on a Samba AD DC, just remove sssd. See if that fixes your problem.
What I have learned working with this issue is:
The web site https://samba.tranquil.it has entries and a build to support samba version 4.23. They also provide an entry to be placed in the /etc directory
cat /etc/yum.repos.d/tissamba.repo
[tis-samba]
name=tis-samba
baseurl= Index of /redhat10/samba-4.22
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-10
I can change this to refer to samba version 4.23
Below is an MS Copilot (Think Deeper answer)
Align Samba and SSSD from compatible repos: install Samba and SSSD built against the same ABI (either both from CentOS BaseOS or both from the third‑party repo). This is the cleanest long‑term fix, there is a path forward, but I need to make some backups, like the samba /var/lib/samba directory so I can go back this version, in case any of my windows client fails after the version /var/lib/samba or some other unintended consequence.
I would like to know is there a planned path for CentOS 9 to go to samba 4.23/4 I tried to update my VMware session to go to install a version of samba 4.23 from https://samba.tranquil.it there were incompatibilities there, I needed to reverse the changes
with dnf to restore the Samba AD DC server role operability.
I would not use Samba and sssd, why ? Well, winbind was written first for Samba, mostly by one person, that person went to work for redhat and wrote most of the initial sssd, basing it on winbind, so if you run winbind and sssd on the same machine, you are virtually running the same code. You also have the problem of who is responsible for Kerberos tickets ?
Don’t get me wrong, sssd is great if you just want authentication, but if shares and NTLM come into the mix (as they do on a Samba AD DC), they you should not use sssd and you cannot turn off winbind on a Samba DC.
What about gone-session, isn’t sssd required for that to handle security logins etc.? I still use that. On Clear Linux I was using remote gone-desktop it worked when I allowed shared desktop (I believe Wayland was fully implemented by then). I have not been able to get the RDP to work yet, but that is a lower priority for now. With Clear Linux they finally rolled out a fix for that as time went on. As far as being a true headless server never go there (of course ssh worked, but a gui desktop type of remote session I was never able to get to work).
Just to add, if all of the server works with just the security packages delivered for Samba AD DC then I would be fine with that.
Having never used clear linux, I have no idea what gone-desktop is, unless you mean gnome desktop, but as I said, sssd is basically a clone of winbind and they both do much the same. Yes, there are differences, but they are pretty much minor.
@hortimech was right about removing sssd package from the CentOS 10 base install and then installed the latest version of Samba from https://samba.tranquil.it my server now works. I am now running with the latest version of Samba 4.23.