[Samba] nss, samba3/ldap PDC, NT4 interdomain trust and performance

Denis Cardon denis.cardon at tranquil-it-systems.fr
Sun Sep 28 17:37:15 MDT 2014

Hi everyone,

last week I took a look at a samba3 PDC server with some performance 
issues. The samba3 PDC has an ldap backend and has nss_ldap configured 
properly. It has also interdomain trust so it has nss_winbind configured 
too, so in /etc/nsswitch.conf there is :

passwd: compat ldap winbind
group: compat ldap winbind

This setup has some performance issues on the nss_ldap part of the 
configuration (about 4000+ accounts in the ldap) mainly because there is 
no caching on the ldap part. I don't have the whole history of the 
setup, but I guess there is no nscd because the samba doc stated that 
one shall not to enable nscd when winbind is used [1].

My first thought would be to migrate the whole thing to samba4 (I hope 
we will have the opportunity to experiment with interdomain trust in 4.2 

But in the mean time being, I was wondering how y'all did in the 
glorious old days of samba3 to manage this kind of setup : large 
samba3/openldap PDC with interdomain trust.

Would you advise to remove of the nss_ldap part and replace it with 
idmap_ldap in winbind? I have never been a great fan of idmap_ldap and 
I'd prefer not to add an extra OU to the ldap tree. According to the 
idmap documentation it cannot be used with standard rfc2307 attributes, 
is it sill true?

Nlscd could also be a candidate since it has a basic caching ability but 
I don't have much experience with it. Or perhaps sssd, but I have never 
tried it in samba3pdc environment (yeah, sorry, I know, sssd usually 
generate lively threads on this mailing list :-)

I'd be happy to hear from you all. Thanks,



Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

More information about the samba mailing list