[SAMBA4] Should 'PDC status' be an smb.conf, or ldb parameter?

Wed Dec 13 00:05:46 GMT 2006

On Wed, 2006-12-13 at 00:41 +0100, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bartlett schrieb:
> > I've recently been doing work to improve our 'CrackNames' code, and I
> > have opened a can of worms:
> > To pass our RPC-CRACKNAMES test, we need to implement
> > DsGetDomainControllerInfo.  This lists details about domain controllers,
> > from the information in the directory.  In particular, it lists which is
> > the PDC emulator.
> > 
> > This sent me off in search of how this is recorded in the directory, and
> > I found it is controlled/recorded by the value of the fSMORoleOwner
> > attribute in the base DN for the domain.  This script: 
> > http://techtasks.com/code/viewbookcode/64 shows how it works nicely.  
> > 
> > I now have code in our SAMR server to identify the PDC correctly from
> > this entry (we would previously always return ourselves as the PDC.
> > Clearly nobody cares, as Samba 3.0 does likewise).  (As a side note,
> > there seems to also be code in the NBT server that needs a similar
> > adjustment).
> > 
> > The can of worms comes from then determining what server role we are in,
> > for the other dependent services.  For example, our NBT server should
> > not take the <1b> unless it is the PDC.  Should this continue to be an
> > smb.conf setting, or should we read the directory.  If we read the
> > directory, how often and from where should we handle this?  Likewise,
> > there are announce flags and other similar places where the PDC/BDC
> > distinction still remains.
> > 
> > I've in the past argued for keeping the text-based smb.conf, but for
> > this setting, it seems that the directory is more appropriate. 
> > 
> > Thoughts?
> 
> that's fine, I'd like to read a lot more out of the directory,
> as that's what we need to do when we want to support replication!
> 
> we should also try to have a way to support the BDC in a NT4 domain.
> 
> so that we can do migrations by becoming a NT4 BDC, then promote us as a
>  NT4 pdc in the domain and then upgrade the domain to active directory
> in mixed mode still serving the old NT4 BDC's.
> 
> >  
> > -	basedn_s = ldb_msg_find_attr_as_string(res->msgs[0], "rootDomainNamingContext", NULL);
> > -	if (basedn_s == NULL) {
> > +	basedn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, res->msgs[0], "rootDomainNamingContext");
> > +	if (basedn == NULL) {
> >  		goto failed;
> 
> I think "rootDomainNamingContext" is wrong here, as that means the
> forest root domain, and "defaultNamingContext" is the domain partition
> of the local dc.
> 
> (this appears in some other places in the patch too)

Yeah, it's that way from how tridge had the code to find the domain SID.
But I think both can be changed to use the ldb_get_base_dn() fn.

> Also it would be nice to have some more torture tests, to make sure
> the correct values are returned and used internally.

Yeah, that's a bit difficult, but I've been wondering how one might get
that kind of information.  Perhaps at least matching up the SAMR, LSA
and DRSUAPI replies.

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061213/54c544a7/attachment.bin