| Certification Objective 11.05—A Cache for the Naming Service The naming service cache daemon (nscd) provides cache for common naming
service requests. The daemon automatically starts when the Solaris system is
booted and provides caching for the following service databases:
exec_attr. Contains execution profiles (RBAC).
group. Contains group security information.
hosts. Contains the machine name and IP address information.
ipnodes. Contains IP address and machine name information.
passwd. Contains password information.
prof_attr. Contains profile attributes (related to RBAC).
user_attr. Contains attributes for users and roles (related to
RBAC).
The exec_attr, prof_attr, and user_attr are parts of Role Based Access
Control (RBAC), which is discussed in Chapter 14.
If NIS+ is being used, the nscd checks the permissions on the passwd table to
preserve NIS+ security. If this table cannot be read by an unauthenticated user,
nscd makes sure that any encrypted password information from the NIS+ server is
served only to the owner of that password.
You can also use the nscd command as an administration tool. Any nscd command
you issue is passed transparently to an already running instance of nscd. The
nscd command has the following syntax: /usr/sbin/nscd [-e <cacheName>, yes no] [-f <configurationFile>] [-g] [-i <cacheName>]
The <configurationFile> specifies the configuration file that
determines the behavior of nscd, and the default is /etc/nscd.conf. The
<cacheName> specifies the name of the database from the list of databases
supported by nscd such as group, hosts, and ipnodes. The options are described
here:
-e <cacheName>, yes|no. Enables (yes) or disables (no) the cache
specified by <cacheName>.
-f <configurationFile>. Instructs nscd to configure itself from
the file specified by <configurationFile>, whose default value is
/etc/nscd.conf.
-g. Prints the current configuration information and statistics to the
standard output. A non-root user can execute the nscd command only with this
option.
-i <cacheName>. Invalidates the cache specified by the
<cacheName>.
Although nscd is started automatically when the system is booted, there will
be situations in which you would like to stop and restart the daemon—for
example, when the nsswitch.conf file is changed. You can use the following SMF
commands to accomplish that: svcadm disable $FMRI svcadm enable $FMRI
where $FMRI specifies the nscd instance with a value like
system/name-service-cache:default. You can also use the old commands: /etc/init.d/nscd stop /etc/init.d/nscd start
These scripts have been modified to eventually execute the svcadm command
under the hood. Remember that the nscd daemon also caches the switch
information.
There will be situations when you would like to examine the naming service
databases. You can do it with the getent command.
Using the getent Command
You can retrieve the naming service information by using the getent command,
which has the following syntax: getent <database> [<key>]
The argument <database> specifies the name of the name service database
to be examined. It could be any of the following:
/etc/ethers. Database for Ethernet address to host name
/etc/group. The group file
/etc/inet/hosts. The database for IP version 4 host names
/etc/inet/ipnodes. The database for IP version 4 and 6 host names
/etc/netmasks. The database for network masks
/etc/networks. The network name database
/etc/passwd. The password file
/etc/project. The project file
/etc/protocols. The protocol name database
/etc/services. Database for Internet services and aliases
The <key> argument specifies the key related to the database to be
searched—for example, user name or numeric-uid for passwd. The getent command
displays the database entries that match each of the supplied keys, one per
line.
For example, consider the following command: getent passwd danq
It will generate output like the following: danq::30641:10:Dan Quale User:/home/danq:/bin/csh
The getent command retrieves information from the database sources specified
for the <database> in the name service switch file,
/etc/nsswitch.conf.
The three most important takeaways from this chapter are as follows:
NIS is used to centralize the administration of network information such as
machine names, user names, and network services, whereas DNS runs on the
Internet to resolve domain names to IP addresses. LDAP manages the same kind of
information as NIS, but it is based on an open Internet standard.
You can use the ypinit command to set up master servers, slave servers, and
clients for NIS, and the ldapclient command to set up clients for the LDAP
service.
The nscd daemon offers the cache service for most common naming service
requests.
| 
