[Puppet - Bug #22847] (Merged - Pending Release) Windows Puppet::Util::ADSI::User and Puppet::Util::ADSI::Group issues WMI queries that hang Puppet in a domain environment

[tickets]

Issue #22847 has been updated by Josh Cooper.

Status changed from In Topic Branch Pending Review to Merged - Pending Release
Keywords set to windows

Merged in [95d3151](https://github.com/puppetlabs/puppet/commit/95d3151) to be 
released in 3.3.2

----------------------------------------
Bug #22847: Windows Puppet::Util::ADSI::User and Puppet::Util::ADSI::Group 
issues WMI queries that hang Puppet in a domain environment
https://projects.puppetlabs.com/issues/22847#change-98744

* Author: Ethan Brown
* Status: Merged - Pending Release
* Priority: High
* Assignee: Ethan Brown
* Category: windows
* Target version: 3.3.2
* Affected Puppet version: 3.2.4
* Keywords: windows
* Branch: https://github.com/puppetlabs/puppet/pull/1992
----------------------------------------
In an AD environment in a large domain / forest, the existing Puppet WMI 
queries do not filter against only the local host.  In any environment with 
tens or hundreds of thousands of AD objects, this can cause Puppet to hang 
unresponsively waiting for data.


Executing 

<pre>
puppet resource --debug --trace --verbose user
</pre>

And terminating with `Ctrl-C` will yield the following stack trace

<pre>
Debug: Failed to load library 'shadow' for feature 'libshadow'
Debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/uuidgen does
not exist
Debug: Puppet::Type::User::ProviderUseradd: file useradd does not exist
Debug: Failed to load library 'ldap' for feature 'ldap'
Debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
Debug: Puppet::Type::User::ProviderPw: file pw does not exist
Debug: Puppet::Type::User::ProviderUser_role_add: file useradd does not exist
Debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/uuidgen does 
not exist
Debug: Puppet::Type::User::ProviderUseradd: file useradd does not exist
Debug: Failed to load library 'ldap' for feature 'ldap'
Debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
Debug: Puppet::Type::User::ProviderPw: file pw does not exist
Debug: Puppet::Type::User::ProviderUser_role_add: file useradd does not exist
Error: Could not run:
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/adsi.rb:182:in `block in each'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/adsi.rb:181:in `each'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/adsi.rb:181:in `each'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/provider/user/windows_adsi.rb:97:in `map'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/provider/user/windows_adsi.rb:97:in `instances'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/type.rb:1106:in `block in instances'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/type.rb:1099:in `collect'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/type.rb:1099:in `instances'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/indirector/resource/ral.rb:20:in `search'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/indirector/indirection.rb:263:in `search'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application/resource.rb:230:in 
`find_or_save_resources'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application/resource.rb:142:in `main'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:372:in `run_command'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:364:in `block (2 levels) in run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:456:in `plugin_hook'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:364:in `block in run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util.rb:504:in `exit_on_fail'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:364:in `run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/command_line.rb:132:in `run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/command_line.rb:86:in `execute'
F:/Program Files (x86)/Puppet Labs/Puppet Enterprise/puppet/bin/puppet:4:in 
`<main>'
</pre>


Executing 

<pre>
puppet resource --debug --trace --verbose group
</pre>

And terminating with `Ctrl-C` will yield the following stack trace

<pre>
Debug: Puppet::Type::Group::ProviderDirectoryservice: file /usr/bin/dscl does 
not exist
Debug: Puppet::Type::Group::ProviderGroupadd: file groupadd does not exist
Debug: Failed to load library 'ldap' for feature 'ldap'
Debug: Puppet::Type::Group::ProviderLdap: feature ldap is missing
Debug: Puppet::Type::Group::ProviderPw: file pw does not exist
Debug: Puppet::Type::Group::ProviderDirectoryservice: file /usr/bin/dscl does 
not exist
Debug: Puppet::Type::Group::ProviderGroupadd: file groupadd does not exist
Debug: Failed to load library 'ldap' for feature 'ldap'
Debug: Puppet::Type::Group::ProviderLdap: feature ldap is missing
Debug: Puppet::Type::Group::ProviderPw: file pw does not exist
Error: Could not run:
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/adsi.rb:290:in `block in each'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/adsi.rb:289:in `each'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/adsi.rb:289:in `each'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/provider/group/windows_adsi.rb:52:in `map'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/provider/group/windows_adsi.rb:52:in `instances'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/type.rb:1106:in `block in instances'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/type.rb:1099:in `collect'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/type.rb:1099:in `instances'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/indirector/resource/ral.rb:20:in `search'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/indirector/indirection.rb:263:in `search'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application/resource.rb:230:in 
`find_or_save_resources'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application/resource.rb:142:in `main'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:372:in `run_command'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:364:in `block (2 levels) in run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:456:in `plugin_hook'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:364:in `block in run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util.rb:504:in `exit_on_fail'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/application.rb:364:in `run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/command_line.rb:132:in `run'
F:/Program Files (x86)/Puppet Labs/Puppet 
Enterprise/puppet/lib/puppet/util/command_line.rb:86:in `execute'
F:/Program Files (x86)/Puppet Labs/Puppet Enterprise/puppet/bin/puppet:4:in 
`<main>'
F:/Program Files (x86)/Puppet Labs/Puppet Enterprise/puppet/bin/puppet: 
Interrupt
</pre>

The problem stems from the queries in `adsi.rb`

<pre>
select from win32_useraccount
select from win32_group
</pre>

These queries need to be qualified to use only local machine users and groups 
like:

<pre>
select name from win32_useraccount where localaccount = "TRUE"
select name from win32_group where localaccount = "TRUE"
</pre>


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.