Applies to: All versions of Centrify DirectControl
Problem:
The following messages are observed when Centrify's adclient (version 4.3.x) does not start. adinfo shows its DOWN.
Jan 24 21:09:35 vlman3 adinfo[5612]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Jan 24 21:09:35 vlman3 adinfo[5612]: DEBUG util.except (IO) : ipc socket connect: No such file or directory (reference lrpc/ipcmessage.cpp:434 rc: 1)
Jan 24 21:09:35 vlman3 adinfo[5612]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Jan 24 21:09:37 vlman3 adinfo[5616]: DEBUG util.except (IO) : ipc socket connect: No such file or directory (reference lrpc/ipcmessage.cpp:434 rc: 1)
Jan 24 21:09:37 vlman3 adinfo[5616]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Jan 24 21:09:37 vlman3 adinfo[5616]: DEBUG util.except (IO) : ipc socket connect: No such file or directory (reference lrpc/ipcmessage.cpp:434 rc: 1)
Jan 24 21:09:37 vlman3 adinfo[5616]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Cause:
This is not a Centrify issue. The problem was caused by slow customer network/dns servers.
From a network trace, it was observed that adclient had to wait for a very long time for a response from DNS servers. They were very slow to respond, resulting in the Centrify agent (adclient) going into a Down state.
Workaround:
Edit the /etc/centrifydc/centrifydc.conf config file as root:
Set the following:
- dns.forcetcp: true
- This is to disable attempts on the UDP protocol which cause further delays.
- This configuration parameter specifies whether to allow Kerberos requests to use UDP, or to force all Kerberos requests to use TCP.
- adclient.dns.cache.size: 100
- This configuration parameter specifies the maximum number of unique DNS requests that should be cached by the Centrify DirectControl Agent.
- The value of this parameters should be approximately 10 times the number of unique domains in the forest.
- For example, if there are eight unique domains in the Active Directory forest, it is suggested to allow the agent to cache up to 80 unique DNS requests.
- When setting this value, consider the network bandwidth and activity and local disk and memory availability (Default value is 50)
- dns.dc.... (to 2 DC)
- dns.gc.... (to 2 GC)
- The two dns.* parameters will hardcode the server addresses to go straight to target DCs, allowing the ability to bypass slow DNS servers.
After saving the configuration file with the edits above, run 'adreload' command to commit the changes and restart the Centrify agent.
Note: