samba - Mar 2018 - nscd and winbindd

Dear samba folks,


I have a special question regarding the simultaneous operation of nscd and
winbindd on the same host:



We are running in a Samba file server setup where the nsswitch.conf looks like
this:


passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis



Nscd is used to do general name service caching while winbindd is up to the task
to map SID <-> UID via the tdb backend.



Usually, you find only information about setups where the nsswitch.conf looks
something like this:



passwd: files winbind
shadow: files
group: files winbind

[...]


and a general warning is given that nscd should not operate while winbindd is
running on the same host.

Some sort of inconsistency wrt. to the caching of the name service information
will result, as I understood.

Does the same warning/problem also apply to our specific configuration setup?



Thanks for your advice.




Regards



Sebastian




Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin


Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de

On Fri, 2 Mar 2018 06:44:14 +0000
"Kraus, Sebastian via samba" <samba at lists.samba.org> wrote:
> Dear samba folks,
> 
> 
> I have a special question regarding the simultaneous operation of
> nscd and winbindd on the same host:
> 
> 
> 
> We are running in a Samba file server setup where the nsswitch.conf
> looks like this:
> 
> 
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
> 
> Nscd is used to do general name service caching while winbindd is up
> to the task to map SID <-> UID via the tdb backend.
> 
 
As you are not using winbind, I cannot see how the winbind cache could
interfere with the nscd cache.

Rowland

Am Freitag, 2. März 2018, 06:44:14 CET schrieb Kraus, Sebastian via 
samba:
> Dear samba folks,
> 
> 
> I have a special question regarding the simultaneous operation of nscd
> and winbindd on the same host:
> 
> 
> 
> We are running in a Samba file server setup where the nsswitch.conf
> looks like this:
> 
> 
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
> 
> hosts:          files dns wins
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> 
> Nscd is used to do general name service caching while winbindd is up
> to the task to map SID <-> UID via the tdb backend.
> 
> 
> 
> Usually, you find only information about setups where the
> nsswitch.conf looks something like this:
Hhmm,
my preferred search engine tells me, it has found 296000 documents
search: passwd files ldap
> passwd: files winbind
> shadow: files
> group: files winbind
> 
> [...]
> 
> 
> and a general warning is given that nscd should not operate while
> winbindd is running on the same host.
I believe you misunderstood this warning.
Padl's nscd and/or Arthur de Jong's nslcd works well with windbind. As
long
as you *do not setup both in PAM/NSS configuration* . i.e.

Both are OK. But use only one line
group: files winbind
group: files ldap

Both makes trouble, but maybe it is a solution in special setups
group: files ldap winbind
group: files winbind ldap
> Some sort of inconsistency wrt. to the caching of the name service
> information will result, as I understood.
> 
> Does the same warning/problem also apply to our specific configuration
> setup?
No

But you should know that nscd caches entrys for one hour by default. So, if 
you make changes to an entry i.e. a group, you must wait or manually 
refresh the nscd cache. Could be a pain and/or a risk in some situations. 
Shorten the cache time may also help.
nscd -i groups

How many user and groups has your setup?
> 
> Thanks for your advice.
> 
> 
> 
> 
> Regards
> 
> 
> 
> Sebastian
> 
> 
> 
> 
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
> 
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
> 
> 
> Tel.: +49 30 314 22263
> Fax: +49 30 314 29309
> Email: sebastian.kraus at tu-berlin.de

-- 

Gruss
	Harry Jede