Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2142: The unix command finger takes a long time to execute

Authentication Service ,  

12 April,16 at 11:45 AM

Applies to:
All versions of Centrify DirectControl.

The unix command /usr/bin/finger takes a long time to execute on a Centrified-server. Is there any reason?
On a Centrify server:
[centrify server ~]$ time finger madhumitha 
finger: madhumitha: no such user. 
real 0m6.566s 
user 0m0.096s 
sys 0m0.304s 
On a non-Centrified server:
[non-centrify-server]$ time finger wlu 
Login: wlu Name: Lu 
Directory: /home/wlu Shell: /tool/pandora/bin/tcsh 
Office: Wei 
On since Thu Jun 2 15:34 (PDT) on pts/0 
1 hour 28 minutes idle 
On since Tue May 31 12:01 (PDT) on :0 (messages off) 
On since Mon Jun 6 16:17 (PDT) on pts/4 2 hours 35 minutes idle 
real 0m3.764s 
user 0m0.061s 
sys 0m0.207s

The unix command /usr/bin/finger displays information about the system users. Please man pages for syntax and more information.
Centrify's recommends customers to turn on or enable nscd  (nameserver caching daemon) on their OS and leverage is performance as much as possible. nscd is OS optimized and is much much faster than the context switch required by adclient (Centrify) although adclient is the one that provided data for nscd to cache. 
RedHat code says finger is based on BSD, and it is doing 'getpwent' looping through EVERY user when using 'finger' for a particular user and so it will be slow the very first time but once cache is built using nscd or Centrify, it will be faster next time.
From our QA stress test records of Centrify 4.4.3 release, it also took about 5 seconds to enumerate 100,000 users when the cache is populated. We are looking into possible ways to speed this up but this is how finger works under Centrify today. 
The below link shows how to configure nscd. Centrify does not take any responsibility for the content and availability of the same. nscd is NOT provided by Centrify and is part of many OSes. Please consult the vendor.
nscd (Name Service Cache Daemon) is a GNU C Library -- A daemon which handles passwd, group and host lookups for running programs and caches the results for the next query. You should install this package only if you use slow Services like LDAP, NIS or NIS+
The nscd service comes as part of glibc , which means every Linux distribution will provide it. It is also extremely simple to set up. Once installed, edit the /etc/nscd.conf file to look similar to this:
 server-user nscd
 debug-level 0
 reload-count unlimited
 paranoia no
 enable-cache passwd yes  
 positive-time-to-live passwd 3600  
 negative-time-to-live passwd 20  
 suggested-size passwd 211  
 check-files passwd yes  
 persistent passwd yes  
 shared passwd yes  
 enable-cache group yes  
 positive-time-to-live group 3600  
 negative-time-to-live group 60  
 suggested-size group 211  
 check-files group yes  
 persistent group yes  
 shared group yes  
enable-cache hosts no  
Now start the nscd service. The above configuration tells nscd to cache group and passwd entries and to let them persist for 3600 seconds.
Once nscd has started and has a few cached entries under its belt -- if you are already logged in and then disconnect from the network -- you will still be able to continue using the system just as if you were on the network -- apart from accessing shares and printers, utilizing Kerberos, and performing new login sessions.
Future release of software will improve finger performance.