[Samba] nss, samba3/ldap PDC, NT4 interdomain trust and performance

Denis Cardon denis.cardon at tranquil-it-systems.fr
Wed Oct 1 08:39:30 MDT 2014 

Hi again,

> last week I took a look at a samba3 PDC server with some performance
> issues. The samba3 PDC has an ldap backend and has nss_ldap configured
> properly. It has also interdomain trust so it has nss_winbind configured
> too, so in /etc/nsswitch.conf there is :
>
> passwd: compat ldap winbind
> group: compat ldap winbind

In the samba4 source tree, the idmap_rfc2307.c source file has code the 
connection not only AD but also to a standard openldap. This could 
replace nss_ldap and make it unnecessary.

Does anyone has experience with winbind rfc2307 idmap module in a NT4 
style samba3 PDC scenario?

Is there a reason why it is not shipped with the samba-3.6.24 tarball? I 
think this is strange because it is located in the source3 folder of 
samba4 tarball...

Thanks,

Denis

>
> This setup has some performance issues on the nss_ldap part of the
> configuration (about 4000+ accounts in the ldap) mainly because there is
> no caching on the ldap part. I don't have the whole history of the
> setup, but I guess there is no nscd because the samba doc stated that
> one shall not to enable nscd when winbind is used [1].
>
> My first thought would be to migrate the whole thing to samba4 (I hope
> we will have the opportunity to experiment with interdomain trust in 4.2
> :-).
>
> But in the mean time being, I was wondering how y'all did in the
> glorious old days of samba3 to manage this kind of setup : large
> samba3/openldap PDC with interdomain trust.
>
> Would you advise to remove of the nss_ldap part and replace it with
> idmap_ldap in winbind? I have never been a great fan of idmap_ldap and
> I'd prefer not to add an extra OU to the ldap tree. According to the
> idmap documentation it cannot be used with standard rfc2307 attributes,
> is it sill true?
>
> Nlscd could also be a candidate since it has a basic caching ability but
> I don't have much experience with it. Or perhaps sssd, but I have never
> tried it in samba3pdc environment (yeah, sorry, I know, sssd usually
> generate lively threads on this mailing list :-)
>
> I'd be happy to hear from you all. Thanks,
>
> Denis
>
> [1]
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2657241
>
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list