Centrify DirectControl 5.1.3 on all platforms
It is noticed Centrify agent gets frequently disconnected from AD.
Debug logs show:
May 9 14:42:05 localhost adclient: [ID 702911 auth.warning] WARN <bg:krb5cacheclean> base.kerberos.wrap
Failed to initialize kerberos context (rc=24), reason=init context: Too many open files
May 9 14:42:05 localhost adclient: [ID 702911 auth.warning] WARN <bg:krb5cacheclean> daemon.main Krb5 user credentials cache cleanup failed , init context: Too many open files
Setting adclient.client.idle.timeout: 60 (for example) in /etc/centrifydc/centrifydc.conf does help temporarily.
Restarting centrifydc (adclient) fixes the issue temporarily before it gets disconnected again.
Is there any reason why?
There is an issue with our code specifically with file descriptors.
When DirectAudit is installed and running, it sends audit trail events to DA which is on by default. Centrify's adclient collects audit trail events from PAM-enabled programs, and sends those to DA via a UNIX domain socket connection. Now DA will periodically drop idle connections. The problem is if there are not that many
audit trail events, the connection to DA would become idle and then by closed by DA. The next time when adclient needs to send events to DA, it will
re-establish a new connection, however there is a bug in our code that the previous socket will not be closed, causing a file descriptor (fd) leakage.
For customers who do not need auditing:
In /etc/centrifydc/centrifydc.conf, customers can set the audittrail.targets:0 and it will cause no audit trail events sent to DA or they can stop DirectAudit too.
For customers who need auditing:
In this case, customers need to contact support for better workaround.
For example, a proper cron job to generate audit trail events, or simply restarting adclient at frequent interval.
This issue is being in Centrify Suite 2014.1
Explanation of audtitrail.targets parameter:
This configuration parameter specifies the target for audit trail information. Possible
0 - Audit information is not sent.
1 - Audit information is sent to DirectAudit. This capability is supported by DirectAudit version 3.2 and later.
2 - Audit information is sent to the local logging facility (syslog on UNIX systems, Windows event log on Windows systems).
3 - Audit information is sent to both DirectAudit and the local logging facility. If DirectAudit 3.2 or later is installed, the default value is 3 (local logging facility and
DirectAudit). Otherwise, the default value is 2 (local logging facility only).
For example: audittrail.targets: 3