AD DNS and Global sequence number implementation
Amitay Isaacs
amitay at gmail.com
Mon Nov 21 17:05:33 MST 2011
Hi All,
In the current implementation of dlz_bind9, connection to SAM database is
made over internal LDAP socket.
This creates a dependency between samba and named as named cannot be
started without samba first
running. And in case samba is restarted, named also has to be restarted.
Since DNS data is mainly stored in two separate partitions (DomainDnsZones
and ForestDnsZones), Tridge
suggested giving named permissions to these two partitions only. In the
current samdb scheme, any process
requiring write access to specific partitions has to have full access to
sam because of the transactions. To
overcome this problem, we created a partial copy of the SAM database.
In the partial copy
- RootDSE, Schema, Configuration partitions are copied as is,
- New empty Domain partition is created (to prevent access to secrets),
- DomainDnsZones, ForestDnsZones partitions are linked to the main SAM
partitions.
In addition, permission of DNS partitions are changed to give named write
access to these partitions.
With this partial copy of SAM and dlz_bind9 connecting to it directly,
named can be started
without having to start samba first. However, this brings forth another
issue when I start replicating
DNS partitions with other DCs in the domain. The problem is that when new
records are created by
dlz_bind9, they are created with wrong sequence number. This is because the
sequence number
logic relies on the availability of all the partitions since the inception
of the SAM. The sequence
number is calculated as the sum of the changes done per partition. If we
lose any of the partition,
then the sequence number calculated is obviously smaller than what it
should be.
To overcome this problem, I have put together few patches that use a TDB
database (metadata.tdb)
to store the sequence number. This way the sequence number is independent
of the partitions
and survives deletion of partitions.
http://git.samba.org/amitay/samba/?p=amitay/samba;a=shortlog;h=refs/heads/seqnum-wip
The patches do the following -
1. Remove LDB_SEQUENCE_HIGHEST_TIMESTAMP. This was a hack to store sequence
number
in LDAP backends using timestamp field. (We do not support LDAP
backends any more for
samba4, right?)
2. Update dsdb_module_extended() and use it instead of duplicating the code
3. Create metadata.tdb as part of partition module (partition_metadata.c).
For the first time when
metadata.tdb is created, the sequence number is calculated based on the
current logic and then
saved in metadata.tdb. Then onwards, it only uses metadata.tdb.
4. Create a partial copy of SAM database for DNS during provision.
5. Use SAM partial copy by default in dlz_bind9.
This fixes the replication issue of DNS partitions.
Amitay.
More information about the samba-technical
mailing list