Applies to: Centrify DirectControl for UNIX/Linux 4.2 and above

Question:

The following messages are observed in /var/log/centrifydc.log. What is its meaning and how can one eliminate it?

Nov 5 01:39:30 censfac2d adclient[651]: [ID 702911 auth.info] INFO <fd:22 NSSGetUserGroupIDs> daemon.ipcclient getUserGroupsByZone: More
than 458 groups in the zone, dynamically resetting adclient.zone.group.count to 503 (+10%)
Nov 5 01:55:31 censfac2d adclient[651]: [ID 702911 auth.info] INFO <fd:16 NSSGetUserGroupIDs> daemon.ipcclient getUserGroupsByZone: More than 458 groups in the zone, dynamically resetting adclient.zone.group.count to 503 (+10%)
Nov 5 01:56:31 censfac2d adclient[651]: [ID 702911 auth.info] INFO <fd:16 NSSGetUserGroupIDs> daemon.ipcclient getUserGroupsByZone: More than 458 groups in the zone, dynamically resetting adclient.zone.group.count to 503 (+10%)

Answer:

In /etc/centrifydc/centrifydc.conf, there is a parameter called adclient.zone.group.count. 

Here is its explanation in centrify-unix-config-guide.pdf:

adclient.zone.group.count:

This configuration parameter provides a calculated value that controls the method used to determine group membership for users. If the calculated value for this parameter is larger than the number of groups a user is a member of, Centrify DirectControl iterates over the user’s group list to determine group membership. For example, if there are more group profiles defined for the zone than the number of groups the user is a member of, Centrify DirectControl uses the user’s group list to determine group membership.

If the calculated value for this parameter is smaller than the typical number of groups a user is a member of, Centrify DirectControl iterates over all of the group profiles enabled for the zone to determine group membership. For example, if there are fewer group profiles defined for the zone than the number of groups the user is a member of, Centrify DirectControl uses the zone’s group profile list to determine group membership.

Switching between the two methods for determining group membership may improve the log-in time for some users. You can use this configuration parameter to override the calculated value. 

If you always want to use the user’s group membership list rather than iterate through the list of group profiles defined for the zone, you can set this parameter to an artificially high value.

If you always want to use the zone’s group profile list rather iterate through the user’s group membership list, you can set this parameter to an artificially low value.

For example:
adclient.zone.group.count: 6

Resolution:

One can avoid this message by setting the correct value of configuration parameter

adclient.zone.group.count

in /etc/centrifydc/centrifydc.conf, and then run the command "adreload".