listserv.traffic@sloop.net
2006-May-24 20:31 UTC
[Samba] NSCD, should it be used or not with LDAP, pam, nss
Again, another confusing issue in two how-to's I'm trying to resolve. In the SBE (samba-3 by example) Pg 161 in the PDF states. (It's actually page 200 of the PDF, but 161 of the numbered document pages.) "The name service caching daemon (nscd) is a primary cause of difficulties with name resolution, particularly where winbind is used." But the Authconfig in the IDEALX scripts appears to use NSCD, and the documents specifically talk about the desirability of caching for nss_ldap and pam_ldap. (Section 4.2.1 of rev 1.10) (Quote: if you're going to use pam_ldap and nss_ldap you really should use it for optimization.) Which is right? Why? TIA -Greg
Paul Gienger
2006-May-24 21:24 UTC
[Samba] NSCD, should it be used or not with LDAP, pam, nss
> In the SBE (samba-3 by example) Pg 161 in the PDF states. (It's > actually page 200 of the PDF, but 161 of the numbered document pages.) > > "The name service caching daemon (nscd) is a primary cause of > difficulties with name resolution, particularly where winbind is > used." > > But the Authconfig in the IDEALX scripts appears to use NSCD, and the > documents specifically talk about the desirability of caching for > nss_ldap and pam_ldap. > > (Section 4.2.1 of rev 1.10) (Quote: if you're going to use pam_ldap > and nss_ldap you really should use it for optimization.) > > Which is right? Why?Notice the subtle difference here. One is referring to winbind, the other is referring to straight up LDAP. If you're running LDAP for your UNIX and samba backend you probably want to cache since the LDAP services don't do it for you. If you don't run nscd a lot of times your performance will go through the floor as usage goes up since there are a LOT of queries going on. If you have winbind going, it is doing any caching it feels necessary to do from the server that it is tied to. Employing nscd in this case is causing a redundancy of caching, and one more step of latency in the chain for updates to trickle through. That's my take on it anyway.