Giters

BeyondTrust / pbis-open

BeyondTrust AD Bridge Open is an open-source community project sponsored by BeyondTrust Corporation. It is currently archived and will no longer receive updates. If you are interested in an Enterprise version of this project, please see our AD Bridge product.

Home Page:https://www.beyondtrust.com/privilege-management/active-directory-bridge

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Slowness in generating running config after upgrading from Likewise/PBIS v6.1 to v8.5

kpamula opened this issue · comments

commented

Hi Experts,

Our customer reported an issue with slowness when executing ‘show running-config’ and related CLIs after joining to Windows Domain.

The CLI binary is using "getpwent()" API for getting user and password information from the user database when showing the user configuration.

When customer is executing the CLIs like ‘show running-config’ and ‘write memory’ , it is taking 90-120 seconds to get the user information only after joining to a Windows domain controller. When we leave from the Domain controller, the slowness is not seen.

From analysis, ‘show running-config’ cli is using "getpwent()" API to get the user information and checks the validity of each users which is causing the slowness. The customer is having user database of more than 50k users. So it is taking more time to complete the operation.

This slowness is seen only after Likewise package upgrade done from v6.1 to v8.5 in our product, and not seen in the earlier builds.

The interesting part is after a device reload, it is not getting the user details from Domain Controller and therefore slowness is not there.

Could you please let us know if there is any patch/solution that can fix this problem in Likewise/PBIS v8.5

Thanks,
Kiran

commented

Hi Experts,

Our Development Engineer has made some progress on this , and he could narrow down the issue to a config variable "NssEnumerationEnabled", which is ENABLED in LikeWise/PBIS 8.5, but DISABLED in LikeWise 6.1, which is causing this problem.

If he disables this explicitly on 8.5 version, issue is never hit, but we are not aware of the consequences of doing the same.

Could you please shed some light on this, and if you are aware of any patches that could address this issue for us.

Thanks,
Kiran

commented

Hi,

Glad you made progress with that. Disabling that is mentioned in the Best Practices Guide on page 12.

It does basically what you discovered; internally ad bridge will ignore nss enumeration requests. Singular lookups work fine and our own enumeration methods work.

commented

Thanks a lot for your kind response.

Any reason why the issue is not noticed post a reload of the device, until we un-join and re-join the domain again ?

commented

Hi,

We added the below fix, and it looked like the issue sorted out.

  • Index: likewise-8.5.3/lsass/etc/lsassd.reg.in
  • ===================================================================
  • --- likewise-8.5.3.orig/lsass/etc/lsassd.reg.in
  • +++ likewise-8.5.3/lsass/etc/lsassd.reg.in
  • @@ -239,7 +239,7 @@
  •  doc = "Whether to return only cached info for NSS user's groups"
  • }
  • "NssEnumerationEnabled" = {
    • default = dword:@ENABLE_NSS_ENUM_DEFAULT_DWORD@
    • default = dword:00000000
  •  doc = "Whether to enumerate users or groups for NSS"

  •  range = boolean
  • }

But our Test team started seeing the same problem again post a reload of the device, and performing a Domain Unjoin & Rejoin operation on the device, and face the same issue.

What we observed here is, there is a linux file "/etc/nsswitch.conf" which is having below contents :

passwd: files lsass
shadow: files
group: files lsass

And when modified this file to below order, the issue goes away.

passwd: lsass files
shadow: files
group: lsass files

One thing we noticed is before changing the order of the files, we see multiple users with "show users administrative" CLI, and we notice only one "admin" user after the ordering changed.

We think The /etc/nsswitch.conf file was modified by likewise code when we do domain join.
The nsswitch is the module which is enabled in default. So it is adding the entry ‘lsass’ entry in /etc.nsswitch.conf file when we do domain join via cli. There is no change in domain join configuration.

Another interesting point is, we have the same content of /etc/nsswitch.conf in earlier version of likewise used (v6.1), but we dont see many users in "show users administrative clis", and we dont see slowness is there.

Kindly help in this regard, in case of any additional patch is missing in Likewise Version v8.5 we are using, that will address this problem completely.

Thanks,
Kiran

commented

A lot of these changes since 6.5 took place to address compatibility and security over performance.

pbis-open will longer receive updates and will be archived. Closing all outstanding issues. Please consider BeyondTrust Active Directory Bridge for continued support.
https://www.beyondtrust.com/privilege-management/active-directory-bridge