[PATCH] small KCC fixes

Sat Apr 26 21:56:37 MDT 2014

Am 25.04.2014 05:13, schrieb Günter Kukkukk:
> Am 22.04.2014 15:31, schrieb Jelmer Vernooij:
>> On Tue, Apr 22, 2014 at 03:26:25PM +0200, Kamen Mazdrashki wrote:
>>> On Tue, Apr 22, 2014 at 3:15 PM, Jelmer Vernooij <jelmer at samba.org> wrote:
>>>
>>>> On Tue, Apr 22, 2014 at 02:50:41PM +0200, Kamen Mazdrashki wrote:
>>>>> On Tue, Apr 22, 2014 at 1:46 PM, Jelmer Vernooij <jelmer at samba.org>
>>>> wrote:
>>>>>> On Tue, Apr 22, 2014 at 12:55:47PM +0200, Kamen Mazdrashki wrote:
>>>>>>> Thanks Jelmer!
>>>>>>>
>>>>>>> Btw, what do you think about porting those patches to samba 4.0.x,
>>>> 4.1.x?
>>>>>>> Some of them looks like fixing real bugs when building topology?
>>>>>> In principle, it seems like a good idea to backport fixes like this.
>>>> How
>>>>>> did you find them though, and are you sure kcc works properly now?
>>>>>>
>>>>>
>>>>> I was trying to run something like "bin/samba_kcc -H private/sam.ldb
>>>>> --readonly --debug" to see
>>>>> what the output is - it wasn't working so I dig it further. I am
>>>> currently
>>>>> using two IDEs to make
>>>>> light my way in code I have forgotten - PyDev and PyCharm. And they are
>>>>> awesome - constantly
>>>>> 'pylint'-ing the code I am looking at (not to mention highlight for
>>>>> selected var). So I am able to quickly
>>>>> find small and big problems here and there. Surprisingly, there are a
>>>> lot :)
>>>>>
>>>>> Does kcc works properly now? It is hard for me to answer this - it should
>>>>> be working much
>>>>> properly that it was before the patch. But if it is working like totally
>>>>> properly - I am not sure.
>>>>> It seems to me that there is more fixes to be done so it runs without
>>>>> errors for more that one DC in Site :)
>>>>> I hope to be able to test it with more DCs and Sites.
>>>> In that case, it's probably not worth backporting these fixes right now,,
>>>> if it's not clear it's actually going to help users.
>>>>
>>> The only real benefit from backporting the patch for now is - to allow
>>> people
>>> to make one step further in using samba_kcc. So they can start making real
>>> fixes on the tool.
>>> Anyway, you are right that at this point there is no a big benefit from
>>> doing so.
>>> I will propose this again when I have samba_kcc in more working condition
>>> for
>>> multiple DCs/Sites.
>> master is the place for those kind of fixes to happen. When they are done, they
>> can be backported to 4.0.x.
>>
>> Cheers,
>>
>> Jelmer
>>
> 
> Hi Kamen,
> 
> during the last weeks - when doing samba AD DC tests with 3 to 4 joined AD DCs -
> mostly samba DCs, but also w2008r2 (partly w2012r2) - i came to the
> conclusion to *disable* samba_kcc completely (in smb.conf):
>      kccsrv:samba_kcc = false
> because it was not working at all!
> 
> Simple inbound/outbound replication did not work(!) - the replication
> partners (and direction) were not found/configured ....
> 
> Example: joined w2008r2 had only inbound (samba) partners - so it *behaved*
>          like a RODC - no updates at all allowed. (lots of error msgs)
> 
> I don't know the background behind the change from "C" to "python" kcc,
> but some info is here:
>     https://lists.samba.org/archive/samba-technical/2012-January/081141.html
> 
> Has this python project ever been finished in a sane way?
> Are there *any* torture test modules?
> 
> Beside others i noticed the following debug messages:
> 
>  Calling samba_kcc script
> /usr/local/samba/sbin/samba_kcc: 'DirectoryServiceAgent' object has no attribute 'create_connection'
> Child /usr/local/samba/sbin/samba_kcc exited with status 1 - Operation not permitted
> ../source4/dsdb/kcc/kcc_periodic.c:646: Failed samba_kcc - NT_STATUS_ACCESS_DENIED
> -----------------
> 
> /usr/local/samba/sbin/samba_kcc: 'module' object has no attribute 'replSchedule'
> Child /usr/local/samba/sbin/samba_kcc exited with status 1 - Operation not permitted
> ../source4/dsdb/kcc/kcc_periodic.c:646: Failed samba_kcc - NT_STATUS_ACCESS_DENIED
> ------------------
> 
> When samba_kcc is enabled - MS server GUI tools - and
>   samba-tool drs showrepl [server]
> list the bottom section
>   "==== KCC CONNECTION OBJECTS ===="
> as being *empty* for most servers...
> 
> Cheers, Günter
> 
> Note - in current samba releases python samba_kcc is disabled.. (but not in git master)
> 
> https://lists.samba.org/archive/samba-technical/2014-April/098945.html
> 

Hi Kamen,

well pylint could/*should* really be the *very first step* to check for "fatal" and "error"
conditions in the samba python code. :-)

I also just looked at "kcc_utils.py" and "samba_kcc" - only for "fatal" and "error" conditions:
(your recent patches are already applied)

-----------------------------
li4771-131:/usr/local/samba/lib64/python2.7/site-packages/samba # pylint -d all -e E,F kcc_utils.py
No config file found, using default configuration
************* Module samba.kcc_utils
E: 76,28:NamingContext.load_nc: Too many arguments for format string
E:378,29:NCReplica.commit_repsFrom: Instance of 'NCReplica' has no 'dsa_dnstr' member
E:909,39:NTDSConnection.load_connection: Module 'samba.dcerpc.drsblobs' has no 'replSchedule' member
E:931,28:NTDSConnection.load_connection_transport: Too many arguments for format string
----------------------------

li4771-131:/usr/local/samba/lib64/python2.7/site-packages/samba # export PYTHONPATH=/usr/local/samba/sbin:/usr/local/samba/lib64/python2.7/site-packages/
li4771-131:/usr/local/samba/lib64/python2.7/site-packages/samba # pylint -d all -e E,F /usr/local/samba/sbin/samba_kcc
No config file found, using default configuration
************* Module samba_kcc
E:658,23:KCC.modify_repsFrom: Module 'ldb' has no 'ldbError' member
E:1031,23:KCC.get_all_bridgeheads: Module 'ldb' has no 'ldbError' member
E:1276,24:KCC.create_connection: Module 'samba.dsdb' has no 'NTDSCONN_USE_NOTIFY' member

The last definition above should surely be NTDSCONN_OPT_USE_NOTIFY

These are only *hard* bugs - but what about "the intended workflow/usage" of these modules?
Who takes ownership now?

Cheers, Günter

-- 