Highlighted
Anonymous_User Absent Member.
Absent Member.
589 views

Suddenly no bundles on various devices - randomly

Hi,

Since four days, various devices on various locations randomly do not have
any bundles anymore. Users are logged into the ZEN agent. ZEN agent does not
show any assigned bundles. It can suddenly start working again, and it can
suddenly stop working. I cannot find any logic in this.

We're running 11.4.1 on my servers (1 primary VA, various sat servers on
locations)

The system message log on the primary server reports a lot of these errors
since the problem started:

The assignment web service encountered the following exception while
handling "getEffectiveAssignments" request for
79e98471219471f3af1629507f32b633~c5b2f390ddb1fb429b92bf5e71606aa2:
1427623610da2148a0ae9b8b0f63e7e7

The assignment web service encountered the following exception while
handling "getAssignmentChains" request for 03701c52b10feaa4556a0f6d274a7799:
1427623610da2148a0ae9b8b0f63e7e7

We're using AD as LDAP source. LDAP source in ZEN reports OK. Certificates
are OK, all AD health checks are OK.

I've opened a SR, but no solution yet.

Any ideas?

Thanks
Ron

Labels (2)
0 Likes
7 Replies
Micro Focus Expert
Micro Focus Expert

Re: Suddenly no bundles on various devices - randomly

Can you post the SR# here?
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Suddenly no bundles on various devices - randomly

Sure it's 10992048631

"CRAIGDWILSON" schreef in bericht
news:CRAIGDWILSON.7b6qfc@no-mx.forums.microfocus.com...


Can you post the SR# here?


--
--
Any Opinions, Thoughts, Solutions, or Blog Entries are my own and may or
may not be shared by Novell or any Sane Person
Please Use at your Own Risk.

Blog - https://forums.novell.com/blog.php/5830-CRAIGDWILSON

https://ideas.microfocus.com/mfi/novell-zcm
------------------------------------------------------------------------
CRAIGDWILSON's Profile: https://forums.novell.com/member.php?userid=5830
View this thread: https://forums.novell.com/showthread.php?t=496862

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Suddenly no bundles on various devices - randomly

In the ZCC, under Configuration->User Source Settings", is "Active Directory" set to "Top-Level Groups Only"?
If not, please see if that helps.........(Assuming there are 1000+ users in that group.....)

If it does, a more workable fix may be to configure the LDAP to return more attribute results than the number of members in your largest groups.
ZCM has to do some gyrations to do nested groups.

Keep in mind..........This is a wild guess...........
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Suddenly no bundles on various devices - randomly

Issue was not the above...........it was a membership in a group outside of the scope defined for the User Source.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Suddenly no bundles on various devices - randomly

Hi Craig,

Well, indeed the problem has been solved by changing the User Source scope
to top level AD instead of an OU.

But we did not find any ZEN object assignments that could explain this. We
did find an AD group that had 'domain users' as member. And 'domain users'
was outside the scope. But this group did not have any bundles, policies
etc. And removing 'domain users' from this group did not solve the problem.

We found out the error guid '1427623610da2148a0ae9b8b0f63e7e7' points to
'domain users'. Which has >3000 members. My current AD user source settings
are set to 'Top-Level groups and all nested groups'. So maybe that setting
has something to do with it as well. But that would not explain why only
changing the user source scope fixed the problem.

So I'm very glad everything is working again, but have not pinpointed the
root cause... which is sorta scary..

Thanks!
Ron





"CRAIGDWILSON" schreef in bericht
news:CRAIGDWILSON.7b8ljz@no-mx.forums.microfocus.com...


Issue was not the above...........it was a membership in a group outside
of the scope defined for the User Source.


--
--
Any Opinions, Thoughts, Solutions, or Blog Entries are my own and may or
may not be shared by Novell or any Sane Person
Please Use at your Own Risk.

Blog - https://forums.novell.com/blog.php/5830-CRAIGDWILSON

https://ideas.microfocus.com/mfi/novell-zcm
------------------------------------------------------------------------
CRAIGDWILSON's Profile: https://forums.novell.com/member.php?userid=5830
View this thread: https://forums.novell.com/showthread.php?t=496862

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Suddenly no bundles on various devices - randomly

The Number of Users is likely not an issue.
I have never seen that cause an issue, but knowing the problem group was a group holding every user made it a possibility w/o having any other details.

It was definitely a 'Scope' issue.
There is a ticket open where one bad 'group' can break all assignments to which your SR got linked.
The request to dev is to add in error handling so that a bad group will not impact other assignments.
I use 'bad' in a general term and yours is actually a new variation on the subject.
We have seen cases in the past that SOMEHOW groups obtained names outside of the valid AD naming scheme and LDAP (and most other tools) fail to access them.
Your error was very similar under the hood, but for another reason.

There is not any ETA on a fix or if Dev even considers this a defect. Suprisingly few customers have ever reported this issue, even though it has likely always existed.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Suddenly no bundles on various devices - randomly

All clear and thanks for the feedback Craig.

Ron

"CRAIGDWILSON" schreef in bericht
news:CRAIGDWILSON.7b8yzc@no-mx.forums.microfocus.com...


The Number of Users is likely not an issue.
I have never seen that cause an issue, but knowing the problem group was
a group holding every user made it a possibility w/o having any other
details.

It was definitely a 'Scope' issue.
There is a ticket open where one bad 'group' can break all assignments
to which your SR got linked.
The request to dev is to add in error handling so that a bad group will
not impact other assignments.
I use 'bad' in a general term and yours is actually a new variation on
the subject.
We have seen cases in the past that SOMEHOW groups obtained names
outside of the valid AD naming scheme and LDAP (and most other tools)
fail to access them.
Your error was very similar under the hood, but for another reason.

There is not any ETA on a fix or if Dev even considers this a defect.
Suprisingly few customers have ever reported this issue, even though it
has likely always existed.


--
--
Any Opinions, Thoughts, Solutions, or Blog Entries are my own and may or
may not be shared by Novell or any Sane Person
Please Use at your Own Risk.

Blog - https://forums.novell.com/blog.php/5830-CRAIGDWILSON

https://ideas.microfocus.com/mfi/novell-zcm
------------------------------------------------------------------------
CRAIGDWILSON's Profile: https://forums.novell.com/member.php?userid=5830
View this thread: https://forums.novell.com/showthread.php?t=496862

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.