Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1937: Will Enabling NSCD Help Centrify?

Authentication Service ,   Mac & PC Management Service ,  

18 September,20 at 04:44 PM


Why do commands like ps -ef or getent take a long time to execute? Will enabling the OS NSCD (name server caching daemon) help in any way?


This can happen if the system in question is under heavy load. NSCD has been found to help with issues where adclient is causing high CPU usage.

Customers are encouraged to enable the nscd daemon. NSCD caching is far superior and many customers have benefited from it especially with issues such as 
getent passwd, ps –ef performance etc.

NSCD is a daemon which caches information for fast retrieval by applications which need them. NSCD is capable of caching many of the databases listed in nsswitch.conf.

  • In releases prior to DirectControl 4.0, adclient would disable any caching daemons to prevent double caching of data. After further analysis, Centrify has found that in many cases, disabling the system caching daemon was too detrimental to system performance, and it was not possible for adclient to match the performance of services like NSCD
  • There are significant performance gains for enabling NSCD caching for passwd and group information. Note that NCSD is talking to the DirectControl adclient on the backend. 
  • The main reason is that NSCD maintains a cache remembering answers to the most recent queries. It is highly OS specific so as to take advantages of the performance shortcuts like sysdoor which requires no I/O, no context switch, etc. it is normal to see 90%+ cache hit. In general, customers can expect a 10%+ performance enhancement - in term of response time, and CPU consumption. 
  • Configuration wise, it is also OS specific, but we find in general the default settings work reasonably well.
If customers wish to fine-tune, here are some recommendations (optional):
  • On Solaris, please edit /etc/nscd.conf to contain the following:
positive-time-to-live   passwd  600 <=== 5 min seems reasonable
negative-time-to-live   passwd          5
keep-hot-count          passwd  20 <=== may want to increase this to a larger prime number, like 211.
check-files  passwd          yes

(ditto for group)

If the Solaris NSCD service is not online, it can be enabled using the following command:

# svcadm enable svc:/system/name-service-cache:default
  • For Linux Servers, please edit to the /etc/nscd.conf file to contain the following:
enable-cache            passwd          yes
positive-time-to-live   passwd          600
negative-time-to-live   passwd          20
suggested-size          passwd          211 <=== prime number
check-files             passwd          yes
persistent              passwd          yes <=== means to keep a file cache
shared                  passwd          yes
max-db-size             passwd          33554432
auto-propagate          passwd          yes
(ditto for group)

If the /etc/nscd.conf is not available on a Linux server, please install the NSCD tool using "yum install nscd" (Redhat)
A couple of system specific notes:
Linux/Solaris - See /etc/nscd.conf for cache timeout and configuration settings. On systems where new users are often added and removed, you may want to shorten the expiration times for users and groups. On Solaris, NSCD uses a Solaris door. On the latest versions of Linux it uses a shared memory segment. 

HPUX - NSCD equivalent daemon on HPUX is called pwgrd. It does not have any configuration parameters. It is strongly recommended, but not required, to run this daemon in the HP pwgrd man page. We noticed slow shared library load times on some HPUX systems which can programs like ls to run slowly.

macOS - The DirectControl agent is actually a Darwin DirectoryService plugin, which works very similar to NSCD and is not an optional service

AIX - AIX does not have a name service caching interface. It has netcd instead.