Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1937: Will turning nscd help Centrify?

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Question:

Why do commands like ps -ef or getent take a long time to execute? Will turning the OS nscd (name server caching daemon) help in anyway?





Answer:

This can happen if the system in question is under heavy load.


You can turn on the nscd daemon. nscd caching is far superior and lot of our customers have benefited with it especially with issues such as 
getent passwd, ps –ef performance etc.


The program nscd (name service caching daemon) is a daemon which caches information for fast retrieval by applications which need them. nscd is capable of caching many of the databases listed in nsswitch.conf.

In releases prior to DirectControl 4.0, adclient would disable any caching daemons to prevent double caching of data. After further analysis, we found that in many cases, disabling the system caching daemon was too detrimental to system performance, and it was not possible for adclient to match the performance of services like nscd.

 
There are significant performance gains for enabling nscd caching for passwd and group information. Note that nscd is talking to the DirectControl adclient on the backend. 
 
The main reason is that nscd maintains cache remembering answers to the most recent queries. It is highly OS specific so as to take advantages of the performance shortcuts like sysdoor which requires no IO, no context switch, etc. it is normal to see 90%+ cache hit. In general, customers can expect a 10%+ performance enhancement - in term of response time, and CPU consumption. 
 
Configuration wise, it is also OS specific, but we find in general the default ones work reasonably well.
 
If customers wish to fine-tune, here are some recommendations

On Solaris, /etc/nscd.conf
 
positive-time-to-live   passwd  600 <=== 5 min seems reasonable
negative-time-to-live   passwd          5
keep-hot-count          passwd  20 <=== may want to increase this to a larger prime number, like 211.
check-files  passwd          yes
 
(ditto for group)
 
on Linux,
 
enable-cache            passwd          yes
positive-time-to-live   passwd          600
negative-time-to-live   passwd          20
suggested-size          passwd          211 <=== prime number
check-files             passwd          yes
persistent              passwd          yes <=== means to keep a file cache
shared                  passwd          yes
max-db-size             passwd          33554432
auto-propagate          passwd          yes
 
(ditto for group)
 
A couple of system specific notes:
Linux/Solaris - See /etc/nscd.conf for cache timeout and configuration settings. On systems where new users are often added and removed, you may want to shorten the expiration times for users and groups. On Solaris, nscd uses a Solaris door. On the latest versions of Linux it uses a shared memory segment. 

HPUX - nscd equivalent daemon on HPUX is called pwgrd. It does not have any configuration parameters. It is strongly recommended, but not required, to run this daemon in the HP pwgrd man page. We noticed slow shared library load times on some HPUX systems which can programs like ls to run slowly.

OS/X - The DirectControl agent is actually a Darwin DirectoryService plugin, which works very similar to nscd and is not an optional service

AIX - AIX does not have a name service caching interface. It has netcd instead. 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.