samba - May 2006 - NSCD, should it be used or not with LDAP, pam, nss

Again, another confusing issue in two how-to's I'm trying to resolve.

In the SBE (samba-3 by example) Pg 161 in the PDF states. (It's
actually page 200 of the PDF, but 161 of the numbered document pages.)

"The name service caching daemon (nscd) is a primary cause of
difficulties with name resolution, particularly where winbind is
used."

But the Authconfig in the IDEALX scripts appears to use NSCD, and the
documents specifically talk about the desirability of caching for
nss_ldap and pam_ldap.

(Section 4.2.1 of rev 1.10) (Quote: if you're going to use pam_ldap
and nss_ldap you really should use it for optimization.)

Which is right? Why?

TIA
-Greg

> In the SBE (samba-3 by example) Pg 161 in the PDF states. (It's
> actually page 200 of the PDF, but 161 of the numbered document pages.)
> 
> "The name service caching daemon (nscd) is a primary cause of
> difficulties with name resolution, particularly where winbind is
> used."
> 
> But the Authconfig in the IDEALX scripts appears to use NSCD, and the
> documents specifically talk about the desirability of caching for
> nss_ldap and pam_ldap.
> 
> (Section 4.2.1 of rev 1.10) (Quote: if you're going to use pam_ldap
> and nss_ldap you really should use it for optimization.)
> 
> Which is right? Why?

Notice the subtle difference here.  One is referring to winbind, the other
is referring to straight up LDAP.  

If you're running LDAP for your UNIX and samba backend you probably want to
cache since the LDAP services don't do it for you.  If you don't run
nscd a
lot of times your performance will go through the floor as usage goes up
since there are a LOT of queries going on.

If you have winbind going, it is doing any caching it feels necessary to do
from the server that it is tied to.  Employing nscd in this case is causing
a redundancy of caching, and one more step of latency in the chain for
updates to trickle through.


That's my take on it anyway.