[Samba] nss, samba3/ldap PDC, NT4 interdomain trust and performance

Christof Schmitt cs at samba.org
Wed Oct 1 09:40:32 MDT 2014

On Wed, Oct 01, 2014 at 04:39:30PM +0200, Denis Cardon wrote:
> Hi again,
> >last week I took a look at a samba3 PDC server with some performance
> >issues. The samba3 PDC has an ldap backend and has nss_ldap configured
> >properly. It has also interdomain trust so it has nss_winbind configured
> >too, so in /etc/nsswitch.conf there is :
> >
> >passwd: compat ldap winbind
> >group: compat ldap winbind
> In the samba4 source tree, the idmap_rfc2307.c source file has code
> the connection not only AD but also to a standard openldap. This
> could replace nss_ldap and make it unnecessary.
> Does anyone has experience with winbind rfc2307 idmap module in a
> NT4 style samba3 PDC scenario?
> Is there a reason why it is not shipped with the samba-3.6.24
> tarball? I think this is strange because it is located in the
> source3 folder of samba4 tarball...

The idmap_rfc2307 module is new in the 4.1 release. It would require
some effort to backport it to 3.6, and that probably won't happen since
3.6 only receives security fixes at this point.

I don't have experience with the NT4 style PDC, so there might be some
limitation that i am not aware of, but it seems that if you can upgrade
to 4.1, that module might be worth a try.


> Thanks,
> Denis
> >
> >This setup has some performance issues on the nss_ldap part of the
> >configuration (about 4000+ accounts in the ldap) mainly because there is
> >no caching on the ldap part. I don't have the whole history of the
> >setup, but I guess there is no nscd because the samba doc stated that
> >one shall not to enable nscd when winbind is used [1].
> >
> >My first thought would be to migrate the whole thing to samba4 (I hope
> >we will have the opportunity to experiment with interdomain trust in 4.2
> >:-).
> >
> >But in the mean time being, I was wondering how y'all did in the
> >glorious old days of samba3 to manage this kind of setup : large
> >samba3/openldap PDC with interdomain trust.
> >
> >Would you advise to remove of the nss_ldap part and replace it with
> >idmap_ldap in winbind? I have never been a great fan of idmap_ldap and
> >I'd prefer not to add an extra OU to the ldap tree. According to the
> >idmap documentation it cannot be used with standard rfc2307 attributes,
> >is it sill true?
> >
> >Nlscd could also be a candidate since it has a basic caching ability but
> >I don't have much experience with it. Or perhaps sssd, but I have never
> >tried it in samba3pdc environment (yeah, sorry, I know, sssd usually
> >generate lively threads on this mailing list :-)
> >
> >I'd be happy to hear from you all. Thanks,
> >
> >Denis
> >
> >[1]
> >https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2657241
> >
> >
> -- 
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0)
> http://www.tranquil-it-systems.fr
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list