Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-19146: Temporary certificate files left in the tmp directory

Authentication Service ,   Smart Card Service ,  

20 August,19 at 07:56 PM

In the /var/centrify/tmp directory on a Unix machine, certificate files cdc-derformcrl and sc_cert are filling up the directory.

Certificates are pulled from active directory that are stored on the local unix box /var/centrify/net/certs that can be used for purposes such as smart cards and mfa.
It does a transform on the certificate to get the crl information and that's where the cdc-derformcrl files come from. They are cleaned up automatically when the gpmapper script completes the pull and conversion of these certificates. So, if you aren't using the certificates then we could turn off the group policy that grabs those certificates and prevent those tmp files from being created entirely. 

The gpmappers script is what runs to control this process of pulling the certs and the conversion process. By default each mapper is allowed 30 seconds to complete and all mapper scripts should be completed in 4 minutes (240 seconds) before adclient kills the scripts.

This timeout is configurable in the Centrify configuration file in /etc/centrifydc/centrifydc.conf.
This governs how long adclient is going to wait for runmappers before abandoning the attempt to wait for it to end.
Open the configuration file and change the following lines: gp.mappers.timeout: 30   gp.mappers.timeout.all: 240

gp.mappers.timeout.all governs how long the client waits for all run mappers to complete. 
gp.mappers.timeout governs how long each individual run mapper has to complete.
The 30 and 240 values are in seconds, and should be configured appropriately. If the entire process finishes without any timeouts, we will automatically clean up the cdc-derformcrl files from the directory. If these mapper scripts do not have enough time to complete, this will leave cdc-derformcrl files in the tmp directory until manually cleared out.
You can test if your timeout allows enough time by running adgpupdate which will force another pull of these certificates. Be sure you manually clear out the tmp directory before running adgpupdate to get accurate results on which files are still timing out. 

The sc_cert files are created by smart card logins and are not subject to the gp.mappers.timeout values. These files will not be cleared out automatically, but are relatively small in size around 2kb. You can create a cron job to manually clear out these files on a regular basis without disrupting functionality.