Denis Cardon
2014-Sep-28 23:37 UTC
[Samba] nss, samba3/ldap PDC, NT4 interdomain trust and performance
Hi everyone, last week I took a look at a samba3 PDC server with some performance issues. The samba3 PDC has an ldap backend and has nss_ldap configured properly. It has also interdomain trust so it has nss_winbind configured too, so in /etc/nsswitch.conf there is : passwd: compat ldap winbind group: compat ldap winbind This setup has some performance issues on the nss_ldap part of the configuration (about 4000+ accounts in the ldap) mainly because there is no caching on the ldap part. I don't have the whole history of the setup, but I guess there is no nscd because the samba doc stated that one shall not to enable nscd when winbind is used [1]. My first thought would be to migrate the whole thing to samba4 (I hope we will have the opportunity to experiment with interdomain trust in 4.2 :-). But in the mean time being, I was wondering how y'all did in the glorious old days of samba3 to manage this kind of setup : large samba3/openldap PDC with interdomain trust. Would you advise to remove of the nss_ldap part and replace it with idmap_ldap in winbind? I have never been a great fan of idmap_ldap and I'd prefer not to add an extra OU to the ldap tree. According to the idmap documentation it cannot be used with standard rfc2307 attributes, is it sill true? Nlscd could also be a candidate since it has a basic caching ability but I don't have much experience with it. Or perhaps sssd, but I have never tried it in samba3pdc environment (yeah, sorry, I know, sssd usually generate lively threads on this mailing list :-) I'd be happy to hear from you all. Thanks, Denis [1] https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2657241 -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Denis Cardon
2014-Oct-01 14:39 UTC
[Samba] nss, samba3/ldap PDC, NT4 interdomain trust and performance
Hi again,> last week I took a look at a samba3 PDC server with some performance > issues. The samba3 PDC has an ldap backend and has nss_ldap configured > properly. It has also interdomain trust so it has nss_winbind configured > too, so in /etc/nsswitch.conf there is : > > passwd: compat ldap winbind > group: compat ldap winbindIn the samba4 source tree, the idmap_rfc2307.c source file has code the connection not only AD but also to a standard openldap. This could replace nss_ldap and make it unnecessary. Does anyone has experience with winbind rfc2307 idmap module in a NT4 style samba3 PDC scenario? Is there a reason why it is not shipped with the samba-3.6.24 tarball? I think this is strange because it is located in the source3 folder of samba4 tarball... Thanks, Denis> > This setup has some performance issues on the nss_ldap part of the > configuration (about 4000+ accounts in the ldap) mainly because there is > no caching on the ldap part. I don't have the whole history of the > setup, but I guess there is no nscd because the samba doc stated that > one shall not to enable nscd when winbind is used [1]. > > My first thought would be to migrate the whole thing to samba4 (I hope > we will have the opportunity to experiment with interdomain trust in 4.2 > :-). > > But in the mean time being, I was wondering how y'all did in the > glorious old days of samba3 to manage this kind of setup : large > samba3/openldap PDC with interdomain trust. > > Would you advise to remove of the nss_ldap part and replace it with > idmap_ldap in winbind? I have never been a great fan of idmap_ldap and > I'd prefer not to add an extra OU to the ldap tree. According to the > idmap documentation it cannot be used with standard rfc2307 attributes, > is it sill true? > > Nlscd could also be a candidate since it has a basic caching ability but > I don't have much experience with it. Or perhaps sssd, but I have never > tried it in samba3pdc environment (yeah, sorry, I know, sssd usually > generate lively threads on this mailing list :-) > > I'd be happy to hear from you all. Thanks, > > Denis > > [1] > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2657241 > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr