Linux Authentication Flow (NSS -> PAM -> AD)

I am a new system administrator at an organization looking to understand the process flow of authentication in regards to how NSS, PAM and WINBIND work together. We've been having winbind related problems, and I'd like to try and improve our configuration. Here are some key configuration files. Note I only copied small parts for the sake of brevity. **/etc/ssh/sshd_config** UsePAM yes **/etc/nsswitch.conf** passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind services: files ldap **/etc/pam.d/ssh** auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_krb5.so auth sufficient pam_unix.so nullok auth required pam_deny.so As an example, lets say I try to SSH into a Linux system using an account that is in an AD domain. The Linux system is using winbind to interface with AD. Below is the flow of how **I think** this would work: 1. SSH service receives a request to access it through port 22. User enters in their credentials. 2. Since the SSH service is configured to use PAM for authentication, it will reference "/etc/pam.d/ssh" to see what PAM modules are to be used. 3. In PAM, SSH is configured to try the 'pam_winbind.so' module first. This module's function is to query AD for authentication. If it is successful, that is sufficient enough to satisfy PAM, so it grants the user access. Otherwise, it continues down the list. Where does NSS fit in on this process? I'm having a hard time understanding what NSS actually does. I thought it was a system which tells the OS leverages to look for certain "names". For example, if looking for a user account (using the nsswitch.conf file above), it will first look at the local "files". If the account information can't be found there, it will look to a "ldap" server, and then finally "winbind". But isn't this what PAM is doing? PAM is utilizing the 'pam_winbind.so' library to authenticate with what ever domain controller winbind is configured for. Why do we need "winbind" listed in NSS? Perhaps this is for services that don't use PAM? Is it usually one or the other? Any transfer of knowledge here would be very appreciated!