Centrify DirectManage Access Manager Suite 2016 for AIX
As a local user on AIX there is often a requirement that Operating System limits for the user be modified to allow greater or lesser access. For example, it might be the case that the local user needs to have unlimited file size, unlimited core file size or unlimited cpu cycles. Traditionally, when a local user on AIX requires operating system limits to be set, an entry is made into the file /etc/security/limits . With Suite 2016, when the adflush command is run, the /etc/security/limits file is re-written and the stanza entries are removed for the local user.
Note: For operating systems other than AIX, where limits are stored in /etc/security/limits.conf, the adflush command does not rewrite the limits.conf file.
Beginning with Suite 2016, there is a new feature in Centrify Server Suite known as a Managed Local User. This feature is available in hierarchical zones and allows local users on Unix machines to be managed in Active Directory through Access Manager. Since Centrify is managing the local user, it will use Active Directory to determine the operating system limits required and recreate the /etc/security/limits file.
This resolution gives instruction on how to manage these limits for a Centrify managed local user account on AIX.
Step 1: Using Access Manager, locate the managed local user account.
Step 2: In the properties for the user, find the location of the zone profile
Step 3: Open Active Directory Users and Computers and browse to the managed local users profile. Go to the LocalUsers container to find the SCP (serviceConnectionPoint)
Step 4: Open the Properties page for the local user and go to the Attribute Editor tab. Locate the keywords attribute, highlight and click Edit:
Step 5: Keywords is a multi-value attribute and the syntax must be precise. In the Value to add field you will enter the limit string you want to change, followed by a colon ":" and then the value. Then pick the Add button to actually add the value. In the image below the attributes have been added for aix.fsize, aix.core, aix.cpu
The list of values that can be set are:
aix.fsize - Identifies the soft limit for the largest file a user's process can create or extend.
aix.core - Specifies the soft limit for the largest core file a user's process can create
aix.cpu - Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
aix.data - Identifies the soft limit for the largest process data segment for a user's process.
aix.rss - Sets the soft limit for the largest amount of physical memory a user's process can allocate
aix.stack - Specifies the soft limit for the largest process stack segment for a user's process.
aix.nofiles - Sets the soft limit for the number of file descriptors a user process may have open at one time
Hit the OK button and Apply the changes to Active Directory.
Step 6: Back on the AIX machine, as root, run adflush -f for the changes to take effect
Step 7: Check the limits for that user
$ ulimit -a