Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7456: How to make winbind work with NSS instead of adbindd using samba4

Authentication Service ,  

29 June,18 at 08:06 PM

Applies to:

All versions of Centrify adbindproxy and Stock Samba4 on RHEL


Can adbindd be bypassed and NSS be used instead with winbindd with Samba4?


Yes, abindd can be bypassed to use NSS with winbind on Samba4.

The script still needs to be run to set up the adclient/samba4 inter-operability initially.  This is done as samba and adclient share the machine account and machine credentials

After the initial configuration,
1. Modify /etc/samba/smb.conf
Comment out the following 2 lines:
#    idmap config * : backend  = tdb
#    idmap config * : base_tdb = 0

Add the following line:
    idmap config * : backend  = nss

Save the file.
2. Stop and disable the Centrifydc-samba service
       On RHEL 7.x
systemctl stop centrifydc-samba
systemctl disable centrifydc-samba
      On RHEL 6.x
service centrifydc-samba stop
chkconfig off centrifydc-samba
3. Enable and start smb, nmb, and winbind
      On RHEL 7.x
systemctl enable smb nmb winbind
systemctl start smb nmb winbind

      On RHEL 6.x
chkconfig --add smb
chkconfig --add nmb
chkconfig --add winbind
chkconfig smb on
chkconfig nmb on
chkconfig winbind on

service smb start
service nmb start
service winbind start

This allows adbindd to be stopped. Although samba and adclient still share the machine account (and its credential), access control is now based on NSS users and groups and not Active Directory.

In the smb.conf under the share settings, if groups are listed for the valid users setting, the '+group'  format will need to be used instead of the AD group format '+QC\group'.

The users will also need to exist or be seen in the getent passwd output or they will not have access to the share.  As long as they have been provisioned in the zone and have a valid role assignment, the users should show up in the getent passwd output.


SELINUX will also need to be set to permissive.
setenforce permissive