[Samba] NSCD, should it be used or not with LDAP, pam, nss

Paul Gienger pgienger at ae-solutions.com
Wed May 24 20:56:07 GMT 2006

> In the SBE (samba-3 by example) Pg 161 in the PDF states. (It's
> actually page 200 of the PDF, but 161 of the numbered document pages.)
> "The name service caching daemon (nscd) is a primary cause of
> difficulties with name resolution, particularly where winbind is
> used."
> But the Authconfig in the IDEALX scripts appears to use NSCD, and the
> documents specifically talk about the desirability of caching for
> nss_ldap and pam_ldap.
> (Section 4.2.1 of rev 1.10) (Quote: if you're going to use pam_ldap
> and nss_ldap you really should use it for optimization.)
> Which is right? Why?

Notice the subtle difference here.  One is referring to winbind, the other
is referring to straight up LDAP.  

If you're running LDAP for your UNIX and samba backend you probably want to
cache since the LDAP services don't do it for you.  If you don't run nscd a
lot of times your performance will go through the floor as usage goes up
since there are a LOT of queries going on.

If you have winbind going, it is doing any caching it feels necessary to do
from the server that it is tied to.  Employing nscd in this case is causing
a redundancy of caching, and one more step of latency in the chain for
updates to trickle through.

That's my take on it anyway.

More information about the samba mailing list