Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6861: How to Set Limits for Managed Local Users

Centrify DirectControl ,  

12 May,16 at 09:12 PM

Applies to:   

Centrify DirectManage Access Manager Suite 2016 for AIX 


Problem:

As a local user on AIX there is often a requirement that Operating System limits for the user be modified to allow greater or lesser access. For example, it might be the case that the local user needs to have unlimited file size, unlimited core file size or unlimited cpu cycles. Traditionally, when a local user on AIX requires operating system limits to be set, an entry is made into the file /etc/security/limits . With Suite 2016, when the adflush command is run, the /etc/security/limits file is re-written and the stanza entries are removed for the local user.

Note: For operating systems other than AIX, where limits are stored in /etc/security/limits.conf, the adflush command does not rewrite the limits.conf file.

 
Cause:
 
Beginning with Suite 2016, there is a new feature in Centrify Server Suite known as a Managed Local User. This feature is available in hierarchical zones and allows local users on Unix machines to be managed in Active Directory through Access Manager.  Since Centrify is managing the local user, it will use Active Directory to determine the operating system limits required and recreate the /etc/security/limits file.


Resolution:
 
This resolution gives instruction on how to manage these limits for a Centrify managed local user account on AIX.

Step 1: Using Access Manager, locate the managed local user account.

Step 2: In the properties for the user, find the location of the zone profile
 
User-added image



Step 3: Open Active Directory Users and Computers and browse to the managed local users profile.  Go to the LocalUsers container to find the SCP (serviceConnectionPoint)

User-added image



Step 4: Open the Properties page for the local user and go to the Attribute Editor tab.  Locate the keywords attribute, highlight and click Edit:
 
User-added image



Step 5: Keywords is a multi-value attribute and the syntax must be precise.  In the Value to add field you will enter the limit string you want to change, followed by a colon ":" and then the value. Then pick the Add button to actually add the value.  In the image below the attributes have been added for aix.fsize, aix.core, aix.cpu
 
User-added image


The list of values that can be set are:
 
aix.fsize - Identifies the soft limit for the largest file a user's process can create or extend.
aix.core - Specifies the soft limit for the largest core file a user's process can create
aix.cpu - Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
aix.data - Identifies the soft limit for the largest process data segment for a user's process.
aix.rss - Sets the soft limit for the largest amount of physical memory a user's process can allocate
aix.stack - Specifies the soft limit for the largest process stack segment for a user's process.
aix.nofiles - Sets the soft limit for the number of file descriptors a user process may have open at one time

Hit the OK button and Apply the changes to Active Directory.


Step 6: Back on the AIX machine, as root, run adflush -f for the changes to take effect


Step 7: Check the limits for that user

$ ulimit -a
 
User-added image
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.