[Samba] Re: Samba/LDAP/PDC Questions

[Paul Gienger]

> |         1. In what situtation do I need People group as the group for
> | machines?
>
> In the case where you use:
> nss_base_passwd        ou=Users,dc=ab,dc=com?one
>
> If you use:
> nss_base_passwd        dc=ab,dc=com?sub


Would people please stop suggesting this without explaining the 
ramifications?  If you do this, you are going to (theoretically)(1) 
severely harm the performance on your server.  Setting the nss library 
to do a search on the 'entire' directory every time it needs to look up 
user information is asinine to put it in a word.  It's like doing this 
in DNS terms... rather than looking for a machine named 
'something.else.com' in the dns servers for else.com you go ask .com who 
then goes in and asks else.com by proxy.  Doing the first example (the 
one searching with ?one) you are restricting searches to a respectable 
scope, doing the second you are searching all OUs which may be numerous 
and deep (in our LDAP tree we have 10 OUs, two of which are at least 3 
levels deep). 

You would be better served by defining ou=Computers and ou=People under 
something like ou=Accounts (which would give you DNs of
ou=Computers,ou=Accounts,dc=ab,dc=com and
ou=People,ou=Accounts,dc=ab,dc=com)

and then then set:
nss_base_passwd        ou=Accounts,dc=ab,dc=com?sub


Note that I'm not saying that doing a sub search is necessarily bad, 
just when you are searching your entire ldap DIT, especially for 
something that happens as often as passwd lookups.

(1) I say theoretically because I've never tried it, it's a Bad Idea(C) 
from the word go.   There are a lot of other things that I haven't tried 
that are bad ideas but I can safely say they are also dangerous, such as 
sticking forks in my eyes and jumping off cliffs.

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com