Re: adclient taking lots of CPU and debug log shows an NSSGetPasswdDataByName for all operations

,

Welcome to the Centrify Express forums.

Remember that the current community-supported Centrify Express vesion is the latest 5.3.x

Version 5.2.1 (released in 2014) is currently supported for commercial customers only.  If you are a commercial customer with current maintenance, please contact support.  You should be then posting in the Server Suite forum.

Some background information

The NSS call (NSSGetPasswdDataByName) is being used by one of the apps you have in your system.  This means "get me (a user, some users or all users) by name", hence the client going out to AD to look for the user(s).   In environments using Centrify Express (which makes all users/groups from the current and any trusted forest) can be a very expensive operation.  Our client will try to do multi-threaded searches to domain controllers (in complex environments, this means good proximity to a global catalog).  This is exacerbated if the application is requesting this data by asking to bypass the cache.

What to do?

• With Centrify Standard Edition you can limit the visibility of users/groups to those that are UNIX-enabled or needed by the system, plus many more capabilities like Privilege Management, Multi-factor auth, etc.
   A good design implies only making the users/groups visible that are needed. (Recommended).
• If you have standard edition - remember that you have the benefit of support. 
• Understand what the application is doing.  Older apps are notorious for making NSS calls that ask for all users/groups/members without using the cache.
• Upgrade to the latest version of the agent. There have been many improvements (5.2.1 will be EoS support next year).
• Implement the Name Service Cache Daemon (nscd), this allows you to have an OS cache and our cache.
• Limit the use of AutoZone to domains with lower numbers of objects.
• You can use the NSS user.ignore/group.ignore facilities to exclude users/groups from the scope of search.
• Establish a baseline.  If you track performance over time, you'll be able to determine what operations your app is performing that are causing the spikes.

R.P