Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4565: Centrify disconnects from AD after a period of time

Auditing and Monitoring Service ,   Authentication Service ,  

12 April,16 at 11:13 AM

Applies to:
Centrify DirectControl 5.1.3 on all platforms
It is noticed Centrify agent gets frequently disconnected from AD.
Debug logs show:
May  9 14:42:05 localhost adclient[8893]: [ID 702911 auth.warning] WARN  <bg:krb5cacheclean> base.kerberos.wrap
Failed to initialize kerberos context (rc=24), reason=init context: Too many open files
May  9 14:42:05 localhost adclient[8893]: [ID 702911 auth.warning] WARN  <bg:krb5cacheclean> daemon.main Krb5 user credentials cache cleanup failed , init context: Too many open files
Setting adclient.client.idle.timeout: 60 (for example) in /etc/centrifydc/centrifydc.conf does help temporarily.
Restarting centrifydc (adclient) fixes the issue temporarily before it gets disconnected again.

Is there any reason why?
There is an issue with our code specifically with file descriptors.
When DirectAudit is installed and running, it sends audit trail events to DA which is on by default. Centrify's adclient collects audit trail events from PAM-enabled programs, and sends those to DA via a UNIX domain socket connection.  Now DA will periodically drop idle connections. The problem is if there are not that many
audit trail events, the connection to DA would become idle and then by closed by DA. The next time when adclient needs to send events to DA, it will 
re-establish a new connection, however there is a bug in our code that the previous socket will not be closed, causing a file descriptor (fd) leakage.
For customers who do not need auditing: 
In /etc/centrifydc/centrifydc.conf, customers can set the audittrail.targets:0 and it will cause no audit trail events sent to DA or they can stop DirectAudit too.
For customers who need auditing:
In this case, customers need to contact support for better workaround.
For example, a proper cron job to generate audit trail events, or simply restarting  adclient at frequent interval. 
This issue is being in Centrify Suite 2014.1 
Explanation of audtitrail.targets parameter:
This configuration parameter specifies the target for audit trail information. Possible 
settings are:
0 - Audit information is not sent.
1 - Audit information is sent to DirectAudit. This capability is supported by DirectAudit  version 3.2 and later.
2 - Audit information is sent to the local logging facility (syslog on UNIX systems, Windows event log on Windows systems).
3 - Audit information is sent to both DirectAudit and the local logging facility. If DirectAudit 3.2 or later is installed, the default value is 3 (local logging facility and 
DirectAudit). Otherwise, the default value is 2 (local logging facility only).

For example: audittrail.targets: 3