[SAMBA4] Should 'PDC status' be an smb.conf, or ldb parameter?
Andrew Bartlett
abartlet at samba.org
Wed Dec 13 00:05:46 GMT 2006
On Wed, 2006-12-13 at 00:41 +0100, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Bartlett schrieb:
> > I've recently been doing work to improve our 'CrackNames' code, and I
> > have opened a can of worms:
> > To pass our RPC-CRACKNAMES test, we need to implement
> > DsGetDomainControllerInfo. This lists details about domain controllers,
> > from the information in the directory. In particular, it lists which is
> > the PDC emulator.
> >
> > This sent me off in search of how this is recorded in the directory, and
> > I found it is controlled/recorded by the value of the fSMORoleOwner
> > attribute in the base DN for the domain. This script:
> > http://techtasks.com/code/viewbookcode/64 shows how it works nicely.
> >
> > I now have code in our SAMR server to identify the PDC correctly from
> > this entry (we would previously always return ourselves as the PDC.
> > Clearly nobody cares, as Samba 3.0 does likewise). (As a side note,
> > there seems to also be code in the NBT server that needs a similar
> > adjustment).
> >
> > The can of worms comes from then determining what server role we are in,
> > for the other dependent services. For example, our NBT server should
> > not take the <1b> unless it is the PDC. Should this continue to be an
> > smb.conf setting, or should we read the directory. If we read the
> > directory, how often and from where should we handle this? Likewise,
> > there are announce flags and other similar places where the PDC/BDC
> > distinction still remains.
> >
> > I've in the past argued for keeping the text-based smb.conf, but for
> > this setting, it seems that the directory is more appropriate.
> >
> > Thoughts?
>
> that's fine, I'd like to read a lot more out of the directory,
> as that's what we need to do when we want to support replication!
>
> we should also try to have a way to support the BDC in a NT4 domain.
>
> so that we can do migrations by becoming a NT4 BDC, then promote us as a
> NT4 pdc in the domain and then upgrade the domain to active directory
> in mixed mode still serving the old NT4 BDC's.
>
> >
> > - basedn_s = ldb_msg_find_attr_as_string(res->msgs[0], "rootDomainNamingContext", NULL);
> > - if (basedn_s == NULL) {
> > + basedn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, res->msgs[0], "rootDomainNamingContext");
> > + if (basedn == NULL) {
> > goto failed;
>
> I think "rootDomainNamingContext" is wrong here, as that means the
> forest root domain, and "defaultNamingContext" is the domain partition
> of the local dc.
>
> (this appears in some other places in the patch too)
Yeah, it's that way from how tridge had the code to find the domain SID.
But I think both can be changed to use the ldb_get_base_dn() fn.
> Also it would be nice to have some more torture tests, to make sure
> the correct values are returned and used internally.
Yeah, that's a bit difficult, but I've been wondering how one might get
that kind of information. Perhaps at least matching up the SAMR, LSA
and DRSUAPI replies.
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061213/54c544a7/attachment.bin
More information about the samba-technical
mailing list