Applies to:
All versions of Centrify DirectControl.
Question:
The unix command /usr/bin/finger takes a long time to execute on a Centrified-server. Is there any reason?
On a Centrify server:
[centrify server ~]$ time finger madhumitha
finger: madhumitha: no such user.
real 0m6.566s
user 0m0.096s
sys 0m0.304s
On a non-Centrified server:
[non-centrify-server]$ time finger wlu
Login: wlu Name: Lu
Directory: /home/wlu Shell: /tool/pandora/bin/tcsh
Office: Wei
On since Thu Jun 2 15:34 (PDT) on pts/0
1 hour 28 minutes idle
On since Tue May 31 12:01 (PDT) on :0 (messages off)
On since Mon Jun 6 16:17 (PDT) on pts/4 2 hours 35 minutes idle
real 0m3.764s
user 0m0.061s
sys 0m0.207s
Answer:
The unix command /usr/bin/finger displays information about the system users. Please man pages for syntax and more information.
Centrify's recommends customers to turn on or enable nscd (nameserver caching daemon) on their OS and leverage is performance as much as possible. nscd is OS optimized and is much much faster than the context switch required by adclient (Centrify) although adclient is the one that provided data for nscd to cache.
RedHat code says finger is based on BSD, and it is doing 'getpwent' looping through EVERY user when using 'finger' for a particular user and so it will be slow the very first time but once cache is built using nscd or Centrify, it will be faster next time.
From our QA stress test records of Centrify 4.4.3 release, it also took about 5 seconds to enumerate 100,000 users when the cache is populated. We are looking into possible ways to speed this up but this is how finger works under Centrify today.
The below link shows how to configure nscd. Centrify does not take any responsibility for the content and availability of the same. nscd is NOT provided by Centrify and is part of many OSes. Please consult the vendor.
http://linuxpoison.blogspot.com/2008/08/how-to-useconfigure-nscd-for-caching.html
http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch14s03.html
nscd (Name Service Cache Daemon) is a GNU C Library -- A daemon which handles passwd, group and host lookups for running programs and caches the results for the next query. You should install this package only if you use slow Services like LDAP, NIS or NIS+
The nscd service comes as part of glibc , which means every Linux distribution will provide it. It is also extremely simple to set up. Once installed, edit the /etc/nscd.conf file to look similar to this:
server-user nscd
debug-level 0
reload-count unlimited
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 3600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
enable-cache hosts no
Now start the nscd service. The above configuration tells nscd to cache group and passwd entries and to let them persist for 3600 seconds.
Once nscd has started and has a few cached entries under its belt -- if you are already logged in and then disconnect from the network -- you will still be able to continue using the system just as if you were on the network -- apart from accessing shares and printers, utilizing Kerberos, and performing new login sessions.
Future release of software will improve finger performance.
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS