Centrify DirectControl 4.4.3 or above on AIX 5.3 or above.
The ulimit command sets or reports user process resource limits.
-a Lists all of the current resource limits
We found that ulimit value of AD users does not match /etc/security/limits.
# ulimit -a
threads(per process) 262144
processes(per user) 262144
/etc/security/limits is set to:
fsize = -1
core = 2097151
cpu = -1
data = 262144
rss = -1
stack = 262144
nofiles = 2000
We can see file, data, stack are different from above example. Here is the explanation on each of them:
1. data(kbytes) 131072 came from the default data = 262144 (in 512-byte blocks)
2. stack(kbytes) 131072 came from the default stack = 262144 (in blocks)
3. file(blocks) 2097151 is due to Centrify supplies fsize_hard = 2097151 if no definition of the hard limit is found. Since the soft limit can't be greater than the hard limit, it will have same value as hard limit.
Note: For AIX attribute, here is the order that adclient will take for AD user:
Check if AD user has AIX attributes defined in AD. If not defined, aclient will check the system default settings e.g. /etc/security/limits.
If none are defined in the system default, it will then load the settings in /etc/centrifydc/centrifydc.conf.
So the priority will be:
AD user attribute > system defaults > centrifydc.conf settings
There is no way to have centrifydc.conf to override system defaults settings.
Customers should check if the ulimit values matches with the system defaults configuration and also check if the value is defined in AD attribute by command:
adquery user <username> -X aix.<attribute>
Please use /etc/security/limits to set fsize_hard = -1. After this, run the command adflush and run ulimit command again.
This will be fixed in DirectControl 5.1 release.