Applies to:All versions of Centrify adbindproxy and Stock Samba4 on RHEL
Question:Can adbindd be bypassed and NSS be used instead with winbindd with Samba4?
Answer:Yes, abindd can be bypassed to use NSS with winbind on Samba4.
The adbindproxy.pl script still needs to be run to set up the adclient/samba4 inter-operability initially. This is done as samba and adclient share the machine account and machine credentials
After the initial configuration,
1. Modify /etc/samba/smb.conf
Comment out the following 2 lines:
# idmap config * : backend = tdb
# idmap config * : base_tdb = 0
Add the following line:
idmap config * : backend = nss
Save the file.
2. Stop and disable the Centrifydc-samba service
On RHEL 7.x
systemctl stop centrifydc-samba
systemctl disable centrifydc-samba
On RHEL 6.x
service centrifydc-samba stop
chkconfig off centrifydc-samba
3. Enable and start smb, nmb, and winbind
On RHEL 7.x
systemctl enable smb nmb winbind
systemctl start smb nmb winbind
On RHEL 6.x
chkconfig --add smb
chkconfig --add nmb
chkconfig --add winbind
chkconfig smb on
chkconfig nmb on
chkconfig winbind on
service smb start
service nmb start
service winbind start
This allows adbindd to be stopped. Although samba and adclient still share the machine account (and its credential), access control is now based on NSS users and groups and not Active Directory.
In the smb.conf under the share settings, if groups are listed for the valid users setting, the '+group' format will need to be used instead of the AD group format '+QC\group'.
The users will also need to exist or be seen in the getent passwd output or they will not have access to the share. As long as they have been provisioned in the zone and have a valid role assignment, the users should show up in the getent passwd output.
Note:
SELINUX will also need to be set to permissive.
setenforce permissive