Applies to: Centrify DirectControl 5.1.2 on all platforms
Problem:
High CPU consumption is noticed when a system is joined to a classic zone. Extracts in centrifydc.log will show the following messages repeatedly:
adclient.session Background cache population of Group starting...
Nov 19 09:29:04 server adclient[539]: [ID 702911 auth.debug] DEBUG <bg:run-queue> adclient.session Background cache population of Group finished
Cause:
The background refresh of users and group list is introduced in CentrifyDirect Control version 5.x. This is so that on an enumeration query request, adclient will just return what it has in cache, and then schedule a refresh in background if necessary.
With classic zones, this does not do any cache population for groups. When session data iterate from cache, it will not update the search marker after enumeration ended. Since the group enumeration search marker was never updated, the iteration refresh will be queued every time the background task do the refresh. The symptom is it will continuously repeat in a very short time span.
Also domain controllers will experience heavy traffic from Centrify servers.
Workaround:
In /etc/centrifydc/centrifydc.conf, please modify or append the following parameter. Centrifydc should be restarted and adflush -f should be run to clear cache after making this change:
adclient.iterate.private.groups: true
Also the following parameter should be changed to 3600 (or higher) from the default value of 600.
adclient.cache.expires: 3600
Resolution:
Customers running into this issue should upgrade to Centrify DirectControl version 5.1.3 (Suite 2014) or higher to obtain an agent build which fixes this issue.
The "adclient.cache.expires" parameter will also default to 3600 starting in the Suite 2014 release so it will no longer be necessary to manually set this parameter after upgrade.