On 8/13/14 12:57 PM, jcbollinger wrote:
>
>
> On Monday, August 11, 2014 8:50:36 AM UTC-5, Jan van Lith wrote:
>
> Hi,
>
> I am using winbind with "winbind enum groups = yes" on some of our
> servers.
> When ensuring a user that is local (and also in AD, so it has a lot
> of groups) the puppet run takes ages. Winbind process is taking a
> lot of cpu and when I strace it AD groups are passing by.
>
> This is the manifest:
>
> # ensure user and group
> user { user:
> ensure => 'present',
> groups => 'logongroup',
> uid => '900',
> require => Group[$user],
> managehome => true,
> }
> group { user:
> ensure => 'present',
> gid => '900',
> }
>
> # id user
> uid=900(user) gid=900(user)
> groups=900(user),400(logongroup),16777729(domain users) .............
>
> What is puppet doing?
>
>
>
> It is likely enumerating all the groups defined for the machine, which
> it will do at the beginning of a run as part of determining the
> machine's initial state. If winbind allows groups to be enumerated (as
> you specifically say it does for these machines) then those will include
> all the groups winbind can enumerate from AD. Since you're using the
> name service switch, Puppet probably can't even tell that it's getting
> both AD groups and local groups.
>
>
>
> I am presuming it is checking if this user is a member of the
> logongroup.
>
>
>
> Puppet likely uses the 'groups' command to load users' secondary
> groups. It might be that that requires scanning all AD groups (it does
> require scanning all local groups). If determining a user's secondary
> groups generally takes a long time in a given environment, then there's
> probably nothing you can do to make Puppet do the job faster than is
> generally required.
>
> Moreover, Puppet probably determines the secondary groups for all system
> users, which means the cost of running 'groups' is likely multiplied by
> the number of defined system users. Furthermore, the known system users
> include those who are not permitted to log on, so that could extend to
> all users in AD.
>
>
>
> Can you make puppet not performing these group checks preforming in AD?
>
>
>
> Sure, by disabling winbind in nsswitch.conf. But you probably don't
> want to do that. Likely disabling group enumeration by winbind would
> also speed things up, but (1) you probably have it enabled for a reason,
> (2) Puppet probably then will not be able to determine users' membership
> in AD secondary groups, and (3) AD secondary groups might not work at
> all, at least for local users.
>
>
>
> My nsswitch.conf tells it to first look in local files.
>
>
>
> The problem is likely tied to the fact that by using winbind for groups
> at all, you add a gazillion groups to your system. Name resolution
> precedence doesn't change that.
>
>
>
>
> passwd: files winbind
> shadow: files winbind
> group: files winbind
>
> So why is it still performing these tasks when the logongroup is
> already present in local files?
>
>
>
> It's probably not specific to this user, and almost certainly not to the
> 'logongroup' group.
>
>
> John
>
Hi Jan,
I'm not familiar with winbind itself though your performance might
improve by using nscd to cache the lookups.
and there's a module for that :)
https://github.com/ghoneycutt/puppet-module-nscd
Best regards,
-g
--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Mobile: +1.206.414.8658
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/53EC2E3D.4090304%40garretthoneycutt.com.
For more options, visit https://groups.google.com/d/optout.
