Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-41209: Details on How Centrify Authentication Service Debug is Enabled

Authentication Service ,  

30 September,20 at 04:12 PM

This article reviews the specifics on how addebug on redirects messages to /var/log/centrifydc.log.  This information can be used to modify the behavior of Centrify DirectControl (CDC) debug logging and get more finely tuned debug messages.

When adclient starts up, it loads the CDC PAM/NSS library.  This library will send messages via LRPC, to adclient to handle requests such as "get user by name" (aka getpwdnam)  The library cannot take over the the logging for the process that is calling getpwdnam() (i.e. sshd, ps, db2), so, the library will send its own message to adclient to be logged.

The control for the adclient logger is in /etc/centrifydc/centrifydc.log.  The pertinent parameter is:
  
logger.facility.*: auth
  
This parameter configures adclient to use "auth" as the logging facility when calling openlog(). The specified logging facility can be configured to define the destination for the logging entries.  For example, on RedHat version 7, using the systemd service manager, the logging facility is journald and the configuration file is /etc/rsyslog.conf

The default adclient log level in centrifydc.conf is:
  
log: INFO
  
When addebug on , is executed, the following changes are made
  
1) in centrifydc.conf
log: DEBUG
  
2) in /etc/rsyslog.conf
# For DirectControl logging
# Centrify DirectControl logging
auth.debug                         -/var/log/centrifydc.log
$SystemLogRateLimitInterval 5      # line inserted by Centrify
$SystemLogRateLimitBurst 30000     # line inserted by Centrify

The default behavior is to redirect the journald log for auth.debug requests to /var/log/centrifydc.log

The Centrify logger has a hierarchical structure similar to  log4j.  For example, an entry in the logfile may look like:
   
Sep 29 09:52:14 rhel7 adclient[1282]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
 
where
DEBUG is the log priority (other levels are DEBUG, DIAG, INFO, WARN, ERROR, etc.)
<main> is the thread name
util.threadpool is the component
  
The logger will first look at this centrifydc.conf parameter to determine the log priority:
  
log.util.threadpool: DEBUG
  
Then the util.threadpool component will generate DEBUG level messages to logger.  If this parameter is not set, the logger will look at the more general, log.util, and finally to the top level log.  So to enable just DEBUG on the util.threadpool, the following settings can be made in centrifydc.conf
  
log: INFO
log.util.threadpool: DEBUG
  
Note: When changes are made to centrifydc.conf, the command, adreload, must be run before the changes will be applied.

The logger.facility.* parameter can also be more finely tuned using the format logger.facility.<process>.  For example, to apply the auth facility to just the adclient process, the parameter would look like:
  
logger.facility.adclient: auth
  
The default '*' matches all processes.  Other process that could be specified are cdcwatch, adnisd, diag, etc.

From here it is up to the rsyslog.conf to specify the logfile destination for "auth"

The addebug command is a shell script that is a general debug tool to assist in setting all these parameters to enable debug.  The most common usage for addebug is:
  
# addebug on - turns on DEBUG for all components and all processes.
# addebug off - turns all DEBUG off
# addebug clear - clears the /var/log/centrifydc.log file of all messages

The script can also be used to enable debug on specific components.  For example:
  
# addebug set util.threadpool DEBUG
  
will enable DEBUG on just the util.threadpool component as described above.
  
  

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin?