Jump to content
Welcome to our new Citrix community!
  • 0

XenServer integration with Active Directory log messages after upgrade to 7.02 (likewise-open to PBIS)


Bhuwan Thapa

Question

After upgrading XenServer from 6.5 to 7.2 I’ve noticed lots of messages in xensource.log file similar to below message almost every 15 minutes:

 

Apr 15 12:44:59 XENHOST xapi: [debug| XENHOST |137 |update_all_subjects_func D:de67325f0528|extauth_plugin_ADpbis] parse /opt/pbis/bin/find-by-sid   --level 1 S-1-5-21-XXXXX-XXXXX-214XXXXX4995-512: key=[Group info (Level-1)] value=[] currkey=[]

 

The above log message is logged against each domain user that belongs to “domain group” used for active directory authentication.

 

Also, there are lots of below messages as well:

Apr 01 13:00:01 XENHOST xapi: [debug| XENHOST |137 |session_revalidation_func D:02880ff306b1|extauth_plugin_ADpbis] parse /opt/pbis/bin/list-groups-for-user   --show-sid Domain\username key=[] value=[Group[106 of 461] name = DOMAIN\DOMAIN_GROUP_NAME (gid = XXXXXXX, sid = S-1-5-21-XXXXX-XXXXXXXXXXXXXXX-XXXXXXXXX-13159)] currkey=[]

 

It appears to be checking the domain user used to authenticate XenServer to Active Directory against each domain group.

 

Just wondering why is “ /opt/pbis/bin/find-by-sid   --level 1 S-1-5-21-XXXXX-XXX-XXXX-512” is logged almost every minutes and is run against each user of the domain group that was used to set up active directory integration?. Is this expected log message after upgrade to XEN 7.2 using PBIS package? If so, how can we disable the logging of these messages to xensource.log?

 

 

Thank you in advance.

Link to comment

5 answers to this question

Recommended Posts

  • 0

Hi Alan,

Thank you for replying to my post. On XenServer 7.2 I've got PBIS instead of likewise open and is missing the "lw-get-log-info" commands. The "comainjoin-cli commands has --loglevel option but does not seem to be the one we are after.

 

./domainjoin-cli --help output for log level.

    --loglevel {error|warning|info|verbose}    Adjusts how much logging is
 

The messages in xensource.log file has " xapi: [debug|", so it seems to be logged by XAPI not PBIS/likewiseopen??

 

I wanted to understand:

1. Why XAPI/XenServer is running "execute /opt/pbis/bin/find-by-sid" every 15 minutes?

2. Why do we see PBIS related debug log messages in the newer version or 7.2?

3. Are these messages expected?

 

Thank you.

Link to comment
  • 0

Hi Tobias,

Thank you for the quick input.

 

Do we know if it is safe to decrease the frequency at which this check is performed, and if so how can we achieve it?

Is there a way we can change the PBIS related log level for xensource.log to "INFO" from "DEBUG" as it is adding lots of messages in the log file while checking for each user in the domain group?

 

Cheers.

Link to comment
  • 0

I would certainly reduce the log level way down from DEBUG; I'm not clear why so many settings are that high to begin with!

And, yes, you can modify some things for starters according to https://support.citrix.com/article/CTX214093

A number of settings can be modified (be cautions what you do change!) in the file /etc/rsyslog.d/xenserver.conf

which may require an rsyslogd restart to put changes into effect.

 

-=Tobias

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...