Unable to bind to AD without disabling FreeNAS cache

[Sispeo29]

Hello

I have been trying to bind my FreeNAS installation to our corporate Active Directory since some time now but always facing the same issue: as soon as I try to enable the FreeNAS cache in the active directory configuration web page, I just receive an error message "Call Timeout"
Looking at the debug log file (under /var/log) it show the following lines:

Jun 11 07:04:02 ploflrsrv002sas uwsgi: [common.freenasldap:351] FreeNAS_LDAP_Directory.open: connection open
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] Traceback (most recent call last):
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "./freenasUI/api/utils.py", line 251, in dispatch
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] request_type, request, *args, **kwargs
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "/usr/local/lib/python3.6/site-packages/tastypie/resources.py", line 482, in dispatch
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] response = method(request, **kwargs)
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "./freenasUI/api/utils.py", line 349, in put_list
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] return self.put_detail(request, **kwargs)
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "./freenasUI/api/utils.py", line 362, in put_detail
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] updated_bundle = self.obj_update(bundle=bundle, **self.remove_api_resource_names(kwargs))
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "/usr/local/lib/python3.6/site-packages/tastypie/resources.py", line 2236, in obj_update
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] return self.save(bundle, skip_errors=skip_errors)
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "./freenasUI/api/utils.py", line 445, in save
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] form.save()
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "./freenasUI/directoryservice/forms.py", line 591, in save
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] timeout=_fs().directoryservice.activedirectory.timeout.started
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] File "./freenasUI/middleware/notifier.py", line 208, in started
Jun 11 07:05:33 ploflrsrv002sas uwsgi: [api.utils:12] return c.call('service.started', what, **kwargs)

so seems I am facing a timeout value

If I check the tick "Disable FreeNAS cache", after a long time, the configuration succeeds, but then every operation on the system is very slow (espacially user access operations) and it is amost unusable

For your information, our active directory has a huge number of objects: about 35000 users and 47000 groups
I am runing FreeNAS 11.2-U4.1

Thanks in advance for your help on this topic

Best regards

 

[Sispeo29]

sorry, just realized I already posted this question a few months ago there https://www.ixsystems.com/community...y-freenas-11-disable-cache.57758/#post-499767 but nobody answered to it

One of the solution I see would be to increase the timeout value, but not sure where this can be done

Regards

 

[anodos]

The timeout values in FreeNAS 11.2 are controlled by sysctls:

Code:

freenas.directoryservice.activedirectory.timeout.reload: 180
freenas.directoryservice.activedirectory.timeout.restart: 180
freenas.directoryservice.activedirectory.timeout.started: 90
freenas.directoryservice.activedirectory.timeout.stop: 90
freenas.directoryservice.activedirectory.timeout.start: 90

These can be adjusted by adding the corresponding sysctl tunable.

In 11.2-U5, the cache fill will be moved to a background task, which will also avoid having UI / middleware timeouts when there's a large number of objects. That said, in general, it's better to disable the cache if you have that many objects in AD.


In 11.3 the cache has been rewritten. When active caching is disabled (disable freenas cache is checked), then the UI cache will be filled from the winbindd cache. This means that over time the UI options will reflect the users / groups that actually use the system rather than the full contents of the AD environment. Hopefully this will provide a better mix of scalability and usefulness than the current behavior.

 

[Sispeo29]

The timeout values in FreeNAS 11.2 are controlled by sysctls:

Code:

freenas.directoryservice.activedirectory.timeout.reload: 180
freenas.directoryservice.activedirectory.timeout.restart: 180
freenas.directoryservice.activedirectory.timeout.started: 90
freenas.directoryservice.activedirectory.timeout.stop: 90
freenas.directoryservice.activedirectory.timeout.start: 90

These can be adjusted by adding the corresponding sysctl tunable.

In 11.2-U5, the cache fill will be moved to a background task, which will also avoid having UI / middleware timeouts when there's a large number of objects. That said, in general, it's better to disable the cache if you have that many objects in AD.


In 11.3 the cache has been rewritten. When active caching is disabled (disable freenas cache is checked), then the UI cache will be filled from the winbindd cache. This means that over time the UI options will reflect the users / groups that actually use the system rather than the full contents of the AD environment. Hopefully this will provide a better mix of scalability and usefulness than the current behavior.

Thanks Anodos for the reply
just to be sure to understand: is the cache only used for GUI, or is it also used by the system itself (like for determining file access ?

 

[anodos]

Thanks Anodos for the reply
just to be sure to understand: is the cache only used for GUI, or is it also used by the system itself (like for determining file access ?

It's GUI only.