Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4011: High CPU consumption after a system with adclient is joined to a classic zone

Authentication Service ,  

12 April,16 at 11:14 AM

Applies to: Centrify DirectControl 5.1.2 on all platforms

 
Problem:
 
High CPU consumption is noticed when a system is joined to a classic zone. Extracts in centrifydc.log will show the following messages repeatedly:
 
adclient.session Background cache population of Group starting...
Nov 19 09:29:04 server adclient[539]: [ID 702911 auth.debug] DEBUG <bg:run-queue> adclient.session Background cache population of Group finished

 
Cause:
 
The background refresh of users and group list is introduced in CentrifyDirect Control version 5.x.  This is so that on an enumeration query request, adclient will just return what it has in cache, and then schedule a refresh in background if necessary.
 
With classic zones, this does not do any cache population for groups. When session data iterate from cache, it will not update the search marker after enumeration ended. Since the group enumeration search marker was never updated, the iteration refresh will be queued every time the background task do the refresh. The symptom is it will continuously repeat in a very short time span.

Also domain controllers will experience heavy traffic from Centrify servers.


Workaround:

In /etc/centrifydc/centrifydc.conf, please modify or append the following parameter.  Centrifydc should be restarted and adflush -f should be run to clear cache after making this change:

adclient.iterate.private.groups: true

Also the following parameter should be changed to 3600 (or higher) from the default value of 600.

adclient.cache.expires:  3600

 
Resolution:
 
Customers running into this issue should upgrade to Centrify DirectControl version 5.1.3 (Suite 2014) or higher to obtain an agent build which fixes this issue.  

The "adclient.cache.expires" parameter will also default to 3600 starting in the Suite 2014 release so it will no longer be necessary to manually set this parameter after upgrade.  

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-3925: How to add Centrify parameter to a group policy articleKB-2045: sudo hangs in autozone and adclient takes high CPU on RHEL/CentOS 6.4 servers