Rockstor don't show all users of my domain Active Directory

hi,
I’m new on RockStor, and I have a problem with active directory users.

Brief description of the problem

Rockstor don’t show all users of my domain.
I have one Domain (DOM1.local) with 200 users, and one subdomain (DOM2.DOM1.local) with 24000 users.
Rockstor is joined to the domain to DOM1.local, when i execute on shell “wbinfo -u” i can see all user of DOM1.local.

But when I want to list the users in the web interface, rockstor only shows some users of the domain DOM2.DOM1.local, not the users of domain DOM1.local.

It is possible to filter the users or the domain to consult?

thank very much

Hi @Barahona and welcome to Rockstor!

When you join an AD Dom usually you get all users from that domain, how did you join dom1.local ?? (ex. did you use a user having right perms over dom1.local and sub domain?)

Mirko

Hi @Flyer,
Thanks for the quick reply.

Rockstor is joined to dom1.local.
But DOM2.DOM1.local is a subdomain of dom1.local and between them there is a trust relationship. But the user who set up on web the SERVICES (Configure Active Directory) does not have specific permissions on the subdomain, and don’t exist in subdomain.

Hi @Barahona,
I know how this will end: I’ll have a new fake domain plus a sub domain with thousands of users and will check this :laughing:

My knowledge: domain.local Administrator doesn’t have admin rights over subdomain.domain.local till you get it to Enterprise Admins group (Domain admins group has local scope on every domain)

Can you try this and rejoin? :slight_smile:

Mirko

Good Morning @Flyer,
You’re right, all users of the Primary Domain have permissions to query on the subdomain. So any user of the main Domain can consult the users of the Subdomain.

Is possible there any way to filter users that queries rockstor? Or expand the postgress tables with which you work? The system is only able to recover about 4900 users and gives the following error that I attached in an image:

Thanks,

Daniel

Ok @Barahona let’s have fun with this!
While authenticated to your Rockstor machine on 192.168.1.222 open this address in a new tab : https://192.168.1.222/api/users
So doing we have a direct call to Django REST framework ( our Rockstor WebUI does same thing, but adding “prizes and amusement” aka buttons, tables, nice pagination, etc etc) and you should have a page like this

On my dev env (joined to a domain too) we have 77 users (count field), having both local and domain users, you should have expected number.

If your count field is ok → we have to check over Rockstor WebUI (maybe timeout?)
If your count field is not ok → my guess is timeout over join operation / join operation called from Django

Waiting your feedback :slight_smile:
Mirko

1 Like

Timeout probably on Domain users listing, check this:

When reading users page we perform a system query with getent passwd (output has system users and domain users too), if user exists on Rockstor db we update data (code on another upper module), if not we create a fake User object and append it to users list (Domain users don’t have a db entry, dynamic data on every request)

Probably with 24k users you fail vs max_wait 90 secs, can you try a getent passwd from shell and check secs/mins?? :slight_smile:
Mirko

1 Like

Hi @Flyer,

I have tried to extend the time in file “/opt/rockstor/src/rockstor/system/users.py” to 9000 seconds. But everything seems to be the same.

If i open https://192.168.1.222/api/users after 2 minute appears this error:

In the users section on web-ui only show 4999 user from SUBDOM.DOM1.local. with message (Showing 1 to 15 of 4,999 entries)

In bash when i executed commands this is the result:

time wbinfo -u | wc -l
379
real 0m1.144s
user 0m0.010s
sys 0m0.009s
This show users of DOM1.local

time getent passwd | wc -l
24773
real 0m49.313s
user 0m0.087s
sys 0m0.049s
This show users of SUBDOM.DOM1.local, but don’t show users of DOM1.local

It’s possible filter user to add at system?

Hello there,

Same probem… My AD is more that 4999 user, and i dont see all of them on web interface… Now i need to add a share to a user start with “Z” but i cant see it…

It is possible any hack to expand the showing number on GUI?

Any idea guys?? Now it is unusable to me.

@vamp First off welcome to the Rockstor community.

Thanks for opening the following issue on GitHub (linking for context):

and for linking it back to your/this forum post.

I did see your forum thread at the time but was involved in a rather large git struggle that is now over. I’m also not that up on datatables that I am assuming is the issue here. But I’ll have a go at this one anyway.

From a quick look it may be that the following line could be where the limit you are experiencing is defined:

I’m assuming this is an arbitrary number set to cap the maximum db retrievals so as to limit (normally) required db requests. But in your case may be presenting as a bug.

In your circumstance what would be the minimum viable number here?

Since it will affect all tables we should keep it, for the time being at least, as low as is practically possible. At least until we have input from those that are more familiar with these technologies ie @Flyer.

I can prepare a pull request against your issue once we have the minimum viable maxPageSize for your foreseeable future.

@Flyer do you agree that this is the limiting factor here?

Also given your machine in presumably in production use I’m reluctant to suggest a rebuild (which I’m assuming will be required for any changes to take effect). But this change could be made and released as a stable channel update pretty quickly once we have a number that will work for you?

Hello @phillxnet!

Thanks the quick and advenced answer!

Well, now in my AD i found 5112 user.

The groups number: 8472

But, i think it is a good idea, if we somehow able to filter to the user folders (ie: now my AD only need my country users, the other country is not) @Flyer What do you think?

Now i use Rockstor 3.9.1-16 (testing updates) i will get your fix in this channel?

BR
Vamp

@vamp

I have now submitted for review an initial ‘hot fix’ for your requirement, at least as I understand it:

https://github.com/rockstor/rockstor-core/pull/1916

which increases this limit from 5000 to 9000 to accommodate your groups requirement.

And given your prior exclamation:

I have stuck to a simple fix for the time being as your fine suggestion for filtering facilities within the UI:

Would be a far larger endeavour and as such would take a lot longer to get around to and complete with appropriate testing etc, especially given outstanding ‘in queue’ issues. Nice idea though so maybe you could open a fresh issue defining exactly what might meet your requirements and how you think it would best be implemented UI wise: although you could consider first opening a fresh forum thread where ideas might first be exchanged/developed with other community members prior to a well defined issue being opened.

That is not likely as there are other blockers on the testing channel as it is no longer supported via rpm updates; although there are long standing plans to push a final rpm update, at some point, to transition it over to include git instructions etc on building direct from source from the various Rockstor repositories on GitHub. It may be that this final rpm update on testing may include all fixes to date as presented in the stable channel updates.

However the indicated fix, if it passes review, may well be available within a few days on the stable channel subscription, and I have noted in your issue to update this forum thread upon it’s inclusion, assuming I’ve not made a blocking mistake in my pull request.

Hope that helps and do consider the stable channel updates as it does help to sustain the projects development. Though please first take a look at the recent thread started by @KarstenV on a ‘bump’ moving from current testing to stable channel updates:

Thanks!

I will talk my boss a possible subscription buying.

BR
Vamp

Hi @phillxnet nice catch!

maxPageSize had that limit slicing AD users to 5k rows and I agree having some checks and users feedbacks before moving to a greater timeout on backend side

M.

@vamp As per:

Rockstor stable channel release version 3.9.2-22 has now been released with your following issue hopefully resolved:

Hope that helps.

Hello there,

We bought the stable release and new i see the “Z*” usernames!

Thanks a lot guys!

@vamp Hello again.

Glad you are now sorted and thanks for the update and for confirming the fix. I’ve added a note on the previously referenced pull request of your fix confirmation.

Thanks again for helping to make Rockstor better and for your additional financial support via a stable channel updates subscription.

Please report any other issues you find, probably best in their own forum thread, and hopefully, in time, we can sort those too.