Cannot add new Samba Export when Active Directory Service is on

Hello,

System enviroment: Rockstor 3.8-12, fresh installation,
The Service Active Directory is on.
In System --> Identity --Users i see all AD Users ( more than 4000)
In System --> Identity --> Groups i see all AD groups (more than 1700)

When i want add a new samba Export, i become the following error:

Error!
Unknown internal error doing a GET to /api/users?page=1&format=json&page_size=5000&count=
If you need more help on this issue, email us at support@rockstor.com with the following information:
The error message: "Unknown internal error doing a GET to /api/users?page=1&format=json&page_size=5000&count="A step by step description of the actions leading up to the error.Download the tarred and zipped server logs by clicking here, and attach it to the email.

When i disable the Active Directory Service (and after a reboot), the AD users and groups are deleted, i can add an new Samba Export.
Perhaps too many users and groups in AD?

Regards
Anton

Hi Anton,

I know exactly what you describe here. System users and domain users are put together and when there are large number of domain users, it’s too slow and api requests are timing out. I am fully aware of this and fix should be available soon. I am taking a brief time off from Rockstor this week, but I hope to get to this soon as possible. Thanks for reporting in great detail!

Hello,

thanks for your quick reaction time.
I am impressed (faster than the NetApp support).

Anton

Hi Anton and suman

I am trying out Rockstor for the first time. (3.9.1-0)
I also got this error as Anton is writing about.
After selecting “Enable RFC2307 and use UIDS and homes/shells AD DC values” It was possible for me to get a group list from Active Directory without the timeout error.

However it seems that a timeout still is there.
I don’t get all the groups from AD.
Also sometimes after trying to setup groups in my shares, the list disappears and I can only see local users.
Then the error will get displayed again.

Is there someway to extend the API or could I maybe add only selected groups or OU’s from my AD domain?
This is okay also to do in a config file if possible.
Any input will be appreciated.

@warfacechamp Welcome to the Rockstor community.

I can’t answer this one myself currently but @Flyer has contributed a number of Rockstor AD enhancements, including work in this area I think, and may be able to chip in.

Also it may be worth updating your install as 3.9.1-0 is pretty old now, or even just all other apps as per the suggestions later on in the following post:

which funnily enough is a fine feature added by @Flyer .

Hope that helps.

Hi @warfacechamp, Ciao @phillxnet!

Ok, we need to bisect this issue to understand if Python related or AD Join related:

@warfacechamp how many users & groups does your AD DC serve?

To perform a useful test: open your shell with root user, type
time getent passwd

Rockstor updates its WebUI groups while reading users list, users list got via a ptyhon subprocess with getent passwd with 90 secs timeout

We should think about moving from a subprocess with getent passwd to a builtin python pwd.pwd.getpwall() loop -> some checks over AD users visibility needed

M.

EDIT:
To have some “fun” and checks with python, open a shell, type python and paste this:

import grp
for group in grp.getgrall():
    if len(group.gr_mem):
        print 'Group {}:\n\tUsers:\n\t\t{}\n'.format(group.gr_name, '\n\t\t'.join(group.gr_mem))

This will provide a list of all of your Rockstor not empty groups with group members!

@Flyer @phillxnet

Thanks for you quick reply.
I didn’t update yet, but if you think its worth it I will I didn’t update because I thought that 3.9.1-0 was the latest stable version.

Today when I go to System - Identity - Groups I can see 5000 groups.
I still can’t see any users.
I don’t know how many users we have exactly, but I would think its a lot. +10.000.

I did the “time getent passwd” which gave me a very long output of user accounts.
It finished with this output.
real 0m11.969s
use 0m0.137s
sys 0m0.329s

I then pasted the python script but I must be doing something wrong.
After pasting the script it dosn’t seem to execute but just add a new line if I press enter.

[root@mnemosyne ~]# python
Python 2.7.5 (default, Nov 6 2016, 00:28:07)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.

import grp
for group in grp.getgrall():
… if len(group.gr_mem):
… print ‘Group {}:\n\tUsers:\n\t\t{}\n’.format(group.gr_name, ‘\n\t\t’.join(group.gr_mem))
…

When trying to create a new Share under Samba Service, the timeout with the warning shows after loading some time.
Is there a default setting for max 5000 users or groups maybe?

Hi @warfacechamp,
sorry for missing a little detail over python code: you have to give an extra “enter” after copy&paste to run it

getent passwd over +10K users in nearly 11secs is good, so users retrieving probably not failing.

Can you check on your Rockstor logs? any attempt to get users list with errors should produce a new error line over Rockstor log file

M.

Hi @Flyer

I downloaded the log files which says something about being in the wrong workgroup.
This is correct that I had this problem with trying to join the domain.
I then changed the workgroup to SDU under the Samba service and then I could join.

You think I should remove the AD and shares. Then reconnect with AD and do the shares again?

Here is the output.
[06/Feb/2018 09:51:26] ERROR [storageadmin.util:44] exception: Error running a command. cmd = /usr/bin/net ads join -U atvn. rc = 255. stdout = [“Enter account’s password:”, ‘Failed to join domain: Invalid configuration (“workgroup” set to ‘WORKGROUP’, should be ‘SDU’) and configuration modification was not requested’, ‘’]. stderr = [’’]
Traceback (most recent call last):
File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 41, in _handle_exception
yield
File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 227, in post
self._join_domain(config, method=method)
File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 78, in _join_domain
return run_command(cmd, input=(’%s\n’ % config.get(‘password’)))
File “/opt/rockstor/src/rockstor/system/osi.py”, line 115, in run_command
raise CommandException(cmd, out, err, rc)
CommandException: Error running a command. cmd = /usr/bin/net ads join -U account. rc = 255. stdout = [“Enter account’s password:”, ‘Failed to join domain: Invalid configuration (“workgroup” set to ‘WORKGROUP’, should be ‘SDU’) and configuration modification was not requested’, ‘’]. stderr = [’’]
[06/Feb/2018 10:13:50] ERROR [storageadmin.util:44] exception: Share(ShareA) cannot be deleted as it is shared via Samba. Unshare and try again
Traceback (most recent call last):
File “/opt/rockstor/eggs/gunicorn-0.16.1-py2.7.egg/gunicorn/workers/sync.py”, line 34, in run
client, addr = self.socket.accept()
File “/usr/lib64/python2.7/socket.py”, line 202, in accept
sock, addr = self._sock.accept()
error: [Errno 11] Resource temporarily unavailable
[06/Feb/2018 15:03:54] ERROR [storageadmin.util:44] exception: Exception while running command([’/bin/chown’, ‘-R’, u’sysop:ADM\dl-adm-it-service faggruppe netv\u0102\u015ark’, u’/mnt2/ShareA’]): ‘ascii’ codec can’t encode characters in position 42-43: ordinal not in range(128)
Traceback (most recent call last):
File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 41, in _handle_exception
yield
File “/opt/rockstor/src/rockstor/storageadmin/views/share_acl.py”, line 60, in post
options[‘orecursive’])
File “/opt/rockstor/src/rockstor/system/acl.py”, line 32, in chown
return run_command(cmd)
File “/opt/rockstor/src/rockstor/system/osi.py”, line 107, in run_command
raise Exception(msg)
Exception: Exception while running command([’/bin/chown’, ‘’, u’/mnt2/ShareA’]): ‘ascii’ codec can’t encode characters in position 42-43: ordinal not in range(128)

Also today when I did the getent passwd it seemed to load way more.
Real was 20m9, 387 s
User 0m0,118s
sys 19m4,430s

Pls remove share, unjoin, rejoin!