Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2010: ulimit does not match /etc/security/limits

Centrify DirectControl ,  

12 April,16 at 11:45 AM

Applies to: 

Centrify DirectControl 4.4.3 or above on AIX 5.3 or above.

 

The ulimit command sets or reports user process resource limits. 

-a   Lists all of the current resource limits

 

Problem:

We found that ulimit value of AD users does not match /etc/security/limits.

 

# ulimit -a 
time(seconds) unlimited 
file(blocks) 2097151 
data(kbytes) 131072 
stack(kbytes) 131072 
memory(kbytes) unlimited 
coredump(blocks) 2097151 
nofiles(descriptors) 2000 
threads(per process) 262144 
processes(per user) 262144 

 

/etc/security/limits is set to:
default: 
fsize = -1 
core = 2097151 
cpu = -1 
data = 262144 
rss = -1 
stack = 262144 
nofiles = 2000

 

Cause:

We can see file, data, stack are different from above example. Here is the explanation on each of them:

 

1. data(kbytes) 131072 came from the default data = 262144 (in 512-byte blocks)

 

2. stack(kbytes) 131072 came from the default stack = 262144 (in blocks)

 

3. file(blocks) 2097151 is due to Centrify supplies fsize_hard = 2097151 if no definition of the hard limit is found.  Since the soft limit can't be greater than the hard limit, it will have same value as hard limit.

 

Note: For AIX attribute, here is the order that adclient will take for AD user: 

 

Check if AD user has AIX attributes defined in AD. If not defined, aclient will check the system default settings e.g.  /etc/security/limits.

If none are defined in the system default, it will then load the settings in /etc/centrifydc/centrifydc.conf. 

 

So the priority will be: 

 

AD user attribute > system defaults > centrifydc.conf settings 

 

There is no way to have centrifydc.conf to override system defaults settings. 

 

Customers should check if the ulimit values matches with the system defaults configuration and also check if the value is defined in AD attribute by command: 

 

adquery user <username> -X aix.<attribute> 

 

Workaround:

Please use /etc/security/limits to set fsize_hard = -1. After this, run the command adflush and run ulimit command again.

 

Resolution:

This will be fixed in DirectControl 5.1 release.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.