Syslog shows many rtvscand-related Centrify adclient <fd:xx NSSGetGroupDataByName > warnings

book

Article ID: 169916

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction


On a system with Symantec Endpoint Protection (SEP) for Linux, you experience a lot of time-out errors. Syslog shows both rtvscand "WARN <fd:25 rtvscand(10619)> Failed to send message: Timeout during operation, MsgType: 507." and Centrify adclient "WARN <fd:10 NSSGetGroupDataByName > daemon.ipcserver Unable to send reply message to client -- disconnecting client." warnings. Troubleshooting on the Centrify side of things shows the issue is a result of frequent referencing of the avdefs group.

May 8 04:36:28 <server naem> adclient[5827]: WARN <fd:25 rtvscand(10619)> Failed to send message: Timeout during operation, MsgType: 507. 
May 8 04:36:28 <server name> adclient[5827]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2700|Trusted path granted|5|user=<server name>[email protected]<domain name> pid=5827 utc=1494210988133 status=GRANTED server=ldap/rk <root FQDN> 
May 8 04:36:28 <server name> adclient[5827]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2700|Trusted path granted|5|user=<server name>[email protected]<domain name> pid=5827 utc=1494210988206 status=GRANTED server=ldap/rk <root FQDN>
May 8 04:36:28 <server name> adclient[5827]: WARN <fd:10 NSSGetGroupDataByName > daemon.ipcserver Unable to send reply message to client -- disconnecting client. 
May 8 04:36:28 <server name> adclient[5827]: WARN <fd:16 NSSGetGroupDataByName > daemon.ipcserver Unable to send reply message to client -- disconnecting client. 

Cause

When you join a domain after installing the Centrify agent, nsswitch.conf is automatically updated to use the Centrify agent’s NSS module first. Using its adclient process and the service library, the Centrify NSS module accesses network information that is stored in Active Directory through LDAP. As local groups (such as avdefs) are not part of Active Directory, it is unable to retrieve the related information and a performance issue occurs.

Environment

  • SEP for Linux

Resolution

This issue has been resolved in Centrify Server Suite DirectControl (DC) 5.4.0 or higher. Please refer to the third-party vendor for more information.

As a workaround, the following one-liner will configure a Red Hat-based system to export all local users and groups to /etc/centrifydc/{USER.EN_US}.ignore on an hourly basis:
 
echo "cut -d: -f1 /etc/passwd | tr '\n' ' ' >/etc/centrifydc/user.ignore && cut -d: -f1 /etc/group | tr '\n' ' ' >/etc/centrifydc/group.ignore" > /etc/cron.hourly/1centrifyignore