11 April,19 at 11:50 AM
In the course of helping customers migrate to Centrify Adbindproxy, Support has identified some instances where the scale of Samba environments impact the effectiveness of the new adbindproxy component. This blog will summarize a recent issue and workaround which may help other customers facing a similar situation.
Centrify supports another way of implementing stock Samba4 with Centrify that does not use adbindd, but uses NSS instead. Access control is then based on NSS users and groups with winbind instead of using adbindd (Active Directory).
Background:
In one customer's environment, they were using Samba to share directories to a large number of end users whom were moving and accessing lots of large media files to and from those shares.
On the server where the Samba shares existed, they were experiencing high cpu usage with adclient and adbindd was segfaulting frequently thus making the samba shares inaccessible.
And in order for the Samba shares to be accessible again, they had to restart adbindd.
In the troubleshooting process, Centrify support helped the customer transition their Samba implementation to use NSS instead of adbindd to help alleviate the segfaulting and high cpu usage from adclient. After making the change, it was determined that the root cause of the issue was not because of adclient but that the server in question needed additional processing power to handle the load. It did at least allow the samba shares to run without adbindd segfaulting because of the heavy load on the server.
There may be instances where adbindd is causing issues and using NSS instead is a supported implementation/workaround.
Prerequisites/Caveats:
-This will only work with stock Samba4 as there have been some changes made in Samba4 that allow for better integration with NSS.
-The adbindproxy.pl script will still need to be run initially to setup the adclient/Samba4 interoperability. This needs to be done as Samba and adclient share the machine account and machine credentials.
-The users will need to exist or be seen in the getent passwd output or they will not have access to the share. As long as they have been provisioned in the zone and have a valid role assignment, the users should show up in the getent passwd output.
-In the smb.conf under the share settings, groups that are listed for the valid users setting, will need to be listed in the '+group' format instead of the AD group format '+QC\group'.
-SELINUX needs to be set to permissive. You can check what SELINUX is set to by running, getenforce. You can set SELINUX to permissve by running, setenforce permissive
Steps:
After the initial configuration with Centrify adbindproxy, follow the below steps to finish the conversion to use NSS instead of adbindd.
1. Modify /etc/samba/smb.conf
Comment out the following 2 lines:
# idmap config * : backend = tdb # idmap config * : base_tdb = 0
Add the following line:
idmap config * : backend = nss
Save the file.
2. Stop and disable the Centrifydc-samba service
on RHEL 7.x
systemctl stop centrifydc-samba systemctl disable centrifydc-samba
on RHEL 6.x
service centrifydc-samba stop chkconfig off centrifydc-samba
3. Enable and start smb, nmb, and winbind
on RHEL 7.x
systemctl enable smb nmb winbind systemctl start smb nmb winbind
on RHEL 6.x
chkconfig --add smb chkconfig --add nmb chkconfig --add winbind chkconfig smb on chkconfig nmb on chkconfig winbind on service smb start service nmb start service winbind start
This allows adbindd to be stopped and NSS used in its place.
For reference, please see the following KB which also addresses this solution:
KB-7456: How to make winbind work with NSS instead of adbindd using Samba4