Certification Objective 11.05A Cache for the Naming Service

Certification Objective 11.05—A Cache for the Naming Service

Exam Objective 5.2: Configure, stop and start the Name Service Cache Daemon (nscd) and retrieve naming service information using the getent command.

Generally speaking, a caching service is a process of saving (caching) information closer to the client and serving it from the cache (not from the original source) when a request arrives. This improves performance, but it also raises an issue of when the information gets stale and needs to be refreshed—that is, how to stay in synch with the original source of information (the server). The naming service caching is provided by the naming service cache daemon.

Managing the Naming Service Cache Daemon

The naming service cache daemon (nscd) provides cache for common naming service requests. The daemon automatically starts when the Solaris system is booted and provides caching for the following service databases:

• exec_attr. Contains execution profiles (RBAC).

• group. Contains group security information.

• hosts. Contains the machine name and IP address information.

• ipnodes. Contains IP address and machine name information.

• passwd. Contains password information.

• prof_attr. Contains profile attributes (related to RBAC).

• user_attr. Contains attributes for users and roles (related to RBAC).

The exec_attr, prof_attr, and user_attr are parts of Role Based Access Control (RBAC), which is discussed in Chapter 14.

If NIS+ is being used, the nscd checks the permissions on the passwd table to preserve NIS+ security. If this table cannot be read by an unauthenticated user, nscd makes sure that any encrypted password information from the NIS+ server is served only to the owner of that password.

You can also use the nscd command as an administration tool. Any nscd command you issue is passed transparently to an already running instance of nscd. The nscd command has the following syntax:

 /usr/sbin/nscd [-e <cacheName>, yes no] [-f <configurationFile>] [-g] [-i <cacheName>] 

The <configurationFile> specifies the configuration file that determines the behavior of nscd, and the default is /etc/nscd.conf. The <cacheName> specifies the name of the database from the list of databases supported by nscd such as group, hosts, and ipnodes. The options are described here:

• -e <cacheName>, yes|no. Enables (yes) or disables (no) the cache specified by <cacheName>.

• -f <configurationFile>. Instructs nscd to configure itself from the file specified by <configurationFile>, whose default value is /etc/nscd.conf.

• -g. Prints the current configuration information and statistics to the standard output. A non-root user can execute the nscd command only with this option.

• -i <cacheName>. Invalidates the cache specified by the <cacheName>.

Although nscd is started automatically when the system is booted, there will be situations in which you would like to stop and restart the daemon—for example, when the nsswitch.conf file is changed. You can use the following SMF commands to accomplish that:

    svcadm disable $FMRI    svcadm enable $FMRI 

where $FMRI specifies the nscd instance with a value like system/name-service-cache:default. You can also use the old commands:

    /etc/init.d/nscd stop    /etc/init.d/nscd start 

These scripts have been modified to eventually execute the svcadm command under the hood. Remember that the nscd daemon also caches the switch information.

There will be situations when you would like to examine the naming service databases. You can do it with the getent command.

Using the getent Command

You can retrieve the naming service information by using the getent command, which has the following syntax:

    getent <database> [<key>] 

The argument <database> specifies the name of the name service database to be examined. It could be any of the following:

• /etc/ethers. Database for Ethernet address to host name

• /etc/group. The group file

• /etc/inet/hosts. The database for IP version 4 host names

• /etc/inet/ipnodes. The database for IP version 4 and 6 host names

• /etc/netmasks. The database for network masks

• /etc/networks. The network name database

• /etc/passwd. The password file

• /etc/project. The project file

• /etc/protocols. The protocol name database

• /etc/services. Database for Internet services and aliases

The <key> argument specifies the key related to the database to be searched—for example, user name or numeric-uid for passwd. The getent command displays the database entries that match each of the supplied keys, one per line.

For example, consider the following command:

    getent passwd danq 

It will generate output like the following:

    danq::30641:10:Dan Quale User:/home/danq:/bin/csh 

The getent command retrieves information from the database sources specified for the <database> in the name service switch file, /etc/nsswitch.conf.

The three most important takeaways from this chapter are as follows:

• NIS is used to centralize the administration of network information such as machine names, user names, and network services, whereas DNS runs on the Internet to resolve domain names to IP addresses. LDAP manages the same kind of information as NIS, but it is based on an open Internet standard.

• You can use the ypinit command to set up master servers, slave servers, and clients for NIS, and the ldapclient command to set up clients for the LDAP service.

• The nscd daemon offers the cache service for most common naming service requests.