Replacing nss_ldap with nss_winbind on a DC, Suggestion

David Markey dmarkey at
Wed May 20 10:15:02 GMT 2009

I think it would possibly be a good design decision to replace nss_ldap
with nss_winbind when using an LDAP backend.

I dont know how much work it would take to achieve this but it would
eradicate the nss_ldap dependency. It would also increase performance as
samba/winbind could share the connection to LDAP but samba/nss_ldap can not.

Also may i suggest that samba supports groupOfNames groups(rfc2307bis)
as an alternative to (dated) posix groups. Be aware that groupOfNames
requires at least 1 member. i.e. a group with no members cannot exist,
some implementations have gotten around that by always having one
"dummy" entry, i.e. "dc=dummy".

More information about the samba-technical mailing list