In the course of helping customers migrate to Centrify Adbindproxy, Support has identified some instances where the scale of Samba environments impact the effectiveness of the new adbindproxy component.  This blog will summarize a recent issue and workaround which may help other customers facing a similar situation.

Centrify supports another way of implementing stock Samba4 with Centrify that does not use adbindd, but uses NSS instead.  Access control is then based on NSS users and groups with winbind instead of using adbindd (Active Directory).


Background:

In one customer's environment, they were using Samba to share directories to a large number of end users whom were moving and accessing lots of large media files to and from those shares.

On the server where the Samba shares existed, they were experiencing high cpu usage with adclient and adbindd was segfaulting frequently thus making the samba shares inaccessible.

And in order for the Samba shares to be accessible again, they had to restart adbindd.

In the troubleshooting process, Centrify support helped the customer transition their Samba implementation to use NSS instead of adbindd to help alleviate the segfaulting and high cpu usage from adclient.  After making the change, it was determined that the root cause of the issue was not because of adclient but that the server in question needed additional processing power to handle the load.  It did at least allow the samba shares to run without adbindd segfaulting because of the heavy load on the server.

There may be instances where adbindd is causing issues and using NSS instead is a supported implementation/workaround.


Prerequisites/Caveats:

-This will only work with stock Samba4 as there have been some changes made in Samba4 that allow for better integration with NSS.

-The adbindproxy.pl script will still need to be run initially to setup the adclient/Samba4 interoperability. This needs to be done as Samba and adclient share the machine account and machine credentials.

-The users will need to exist or be seen in the getent passwd output or they will not have access to the share. As long as they have been provisioned in the zone and have a valid role assignment, the users should show up in the getent passwd output.

-In the smb.conf under the share settings, groups that are listed for the valid users setting, will need to be listed in the '+group'  format  instead of the AD group format '+QC\group'.

-SELINUX needs to be set to permissive. You can check what SELINUX is set to by running, getenforce.  You can set SELINUX to permissve by running, setenforce permissive


Steps:

After the initial configuration with Centrify adbindproxy, follow the below steps to finish the conversion to use NSS instead of adbindd.
 
1. Modify /etc/samba/smb.conf
        Comment out the following 2 lines:

        #    idmap config * : backend  = tdb
        #    idmap config * : base_tdb = 0

    Add the following line:

             idmap config * : backend  = nss

    Save the file.

2. Stop and disable the Centrifydc-samba service
    on RHEL 7.x

        systemctl stop centrifydc-samba
        systemctl disable centrifydc-samba   

    on RHEL 6.x

        service centrifydc-samba stop
        chkconfig off centrifydc-samba

3. Enable and start smb, nmb, and winbind
    on RHEL 7.x

        systemctl enable smb nmb winbind
        systemctl start smb nmb winbind

    on RHEL 6.x

        chkconfig --add smb
        chkconfig --add nmb
        chkconfig --add winbind
        chkconfig smb on
        chkconfig nmb on
        chkconfig winbind on

        service smb start
        service nmb start
        service winbind start

This allows adbindd to be stopped and NSS used in its place.



For reference, please see the following KB which also addresses this solution:

KB-7456: How to make winbind work with NSS instead of adbindd using Samba4