nobody user running demon

nobody is a generic system user for unprivileged system processes. This is probably normal or a misconfiguration.

I am suspicious that this demon supposed be run by root.

Running samba root is probably a bad idea as it is outward facing, ie., an attack vector. If the daemon is hacked via its net interface and is running root, the attacker now has privileged access to your system. Hence, web servers and the like usually run un-privilleged.

However, because they may require privileges during start-up (eg., to open a low number port), they often start as root and once that stuff is done, drop privileges by switching to another uid (such as nobody).

I have the same process.

nobody 264 0.0 0.4 4304 2052 ? Ss 09:25 0:01 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nobody --deviceglob /dev/input/event*

As far as I am aware this is normal.