Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1419: More than xxx groups in the zone, dynamically resetting adclient.zone.group.

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:12 AM

Applies to: Centrify DirectControl for UNIX/Linux 4.2 and above

Question:

The following messages are observed in /var/log/centrifydc.log. What is its meaning and how can one eliminate it?

Nov 5 01:39:30 censfac2d adclient[651]: [ID 702911 auth.info] INFO <fd:22 NSSGetUserGroupIDs> daemon.ipcclient getUserGroupsByZone: More
than 458 groups in the zone, dynamically resetting adclient.zone.group.count to 503 (+10%)

Nov 5 01:55:31 censfac2d adclient[651]: [ID 702911 auth.info] INFO <fd:16 NSSGetUserGroupIDs> daemon.ipcclient getUserGroupsByZone: More than 458 groups in the zone, dynamically resetting adclient.zone.group.count to 503 (+10%)
Nov 5 01:56:31 censfac2d adclient[651]: [ID 702911 auth.info] INFO <fd:16 NSSGetUserGroupIDs> daemon.ipcclient getUserGroupsByZone: More than 458 groups in the zone, dynamically resetting adclient.zone.group.count to 503 (+10%)


Answer:

In /etc/centrifydc/centrifydc.conf, there is a parameter called adclient.zone.group.count

Here is its explanation in centrify-unix-config-guide.pdf:

adclient.zone.group.count:

This configuration parameter provides a calculated value that controls the method used to determine group membership for users. If the calculated value for this parameter is larger than the number of groups a user is a member of, Centrify DirectControl iterates over the user’s group list to determine group membership. For example, if there are more group profiles defined for the zone than the number of groups the user is a member of, Centrify DirectControl uses the user’s group list to determine group membership.

If the calculated value for this parameter is smaller than the typical number of groups a user is a member of, Centrify DirectControl iterates over all of the group profiles enabled for the zone to determine group membership. For example, if there are fewer group profiles defined for the zone than the number of groups the user is a member of, Centrify DirectControl uses the zone’s group profile list to determine group membership.

Switching between the two methods for determining group membership may improve the log-in time for some users. You can use this configuration parameter to override the calculated value. 

If you always want to use the user’s group membership list rather than iterate through the list of group profiles defined for the zone, you can set this parameter to an artificially high value.

If you always want to use the zone’s group profile list rather iterate through the user’s group membership list, you can set this parameter to an artificially low value.

For example:
adclient.zone.group.count: 6

Resolution:

One can avoid this message by setting the correct value of configuration parameter

adclient.zone.group.count

in /etc/centrifydc/centrifydc.conf, and then run the command "adreload".

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.