[PATCH] small KCC fixes

Kamen Mazdrashki kamenim at samba.org
Sun Apr 27 17:53:28 MDT 2014 

Hi Günter,


On Sun, Apr 27, 2014 at 5:56 AM, Günter Kukkukk <linux at kukkukk.com> wrote:

> Am 25.04.2014 05:13, schrieb Günter Kukkukk:
> > Hi Kamen,
> >
> > during the last weeks - when doing samba AD DC tests with 3 to 4 joined
> AD DCs -
> > mostly samba DCs, but also w2008r2 (partly w2012r2) - i came to the
> > conclusion to *disable* samba_kcc completely (in smb.conf):
> >      kccsrv:samba_kcc = false
> > because it was not working at all!
> >
> > Simple inbound/outbound replication did not work(!) - the replication
> > partners (and direction) were not found/configured ....
> >
> > Example: joined w2008r2 had only inbound (samba) partners - so it
> *behaved*
> >          like a RODC - no updates at all allowed. (lots of error msgs)
> >
> > I don't know the background behind the change from "C" to "python" kcc,
> > but some info is here:
> >
> https://lists.samba.org/archive/samba-technical/2012-January/081141.html
> >
> > Has this python project ever been finished in a sane way?
> > Are there *any* torture test modules?
> >
> > Beside others i noticed the following debug messages:
> >
> >  Calling samba_kcc script
> > /usr/local/samba/sbin/samba_kcc: 'DirectoryServiceAgent' object has no
> attribute 'create_connection'
> > Child /usr/local/samba/sbin/samba_kcc exited with status 1 - Operation
> not permitted
> > ../source4/dsdb/kcc/kcc_periodic.c:646: Failed samba_kcc -
> NT_STATUS_ACCESS_DENIED
> > -----------------
> >
> > /usr/local/samba/sbin/samba_kcc: 'module' object has no attribute
> 'replSchedule'
> > Child /usr/local/samba/sbin/samba_kcc exited with status 1 - Operation
> not permitted
> > ../source4/dsdb/kcc/kcc_periodic.c:646: Failed samba_kcc -
> NT_STATUS_ACCESS_DENIED
> > ------------------
> >
> > When samba_kcc is enabled - MS server GUI tools - and
> >   samba-tool drs showrepl [server]
> > list the bottom section
> >   "==== KCC CONNECTION OBJECTS ===="
> > as being *empty* for most servers...
> >
> > Cheers, Günter
> >
> > Note - in current samba releases python samba_kcc is disabled.. (but not
> in git master)
> >
> > https://lists.samba.org/archive/samba-technical/2014-April/098945.html
> >
>
> Hi Kamen,
>
> well pylint could/*should* really be the *very first step* to check for
> "fatal" and "error"
> conditions in the samba python code. :-)
>
> I also just looked at "kcc_utils.py" and "samba_kcc" - only for "fatal"
> and "error" conditions:
> (your recent patches are already applied)
>
> -----------------------------
> li4771-131:/usr/local/samba/lib64/python2.7/site-packages/samba # pylint
> -d all -e E,F kcc_utils.py
> No config file found, using default configuration
> ************* Module samba.kcc_utils
> E: 76,28:NamingContext.load_nc: Too many arguments for format string
> E:378,29:NCReplica.commit_repsFrom: Instance of 'NCReplica' has no
> 'dsa_dnstr' member
> E:909,39:NTDSConnection.load_connection: Module 'samba.dcerpc.drsblobs'
> has no 'replSchedule' member
> E:931,28:NTDSConnection.load_connection_transport: Too many arguments for
> format string
> ----------------------------
>
> li4771-131:/usr/local/samba/lib64/python2.7/site-packages/samba # export
> PYTHONPATH=/usr/local/samba/sbin:/usr/local/samba/lib64/python2.7/site-packages/
> li4771-131:/usr/local/samba/lib64/python2.7/site-packages/samba # pylint
> -d all -e E,F /usr/local/samba/sbin/samba_kcc
> No config file found, using default configuration
> ************* Module samba_kcc
> E:658,23:KCC.modify_repsFrom: Module 'ldb' has no 'ldbError' member
> E:1031,23:KCC.get_all_bridgeheads: Module 'ldb' has no 'ldbError' member
> E:1276,24:KCC.create_connection: Module 'samba.dsdb' has no
> 'NTDSCONN_USE_NOTIFY' member
>
> I wonder how I have missed those with my plynt... It seems for my IDE
those are not *that* critical, hm.

Looking at the problems you have pointed out above, it seems like samba_kcc
is completely broken at the moment.
Interesting, how that happened. Bugs like 'missing drsbobls.replSchedule'
are imho hard to find right away, since
changing for an IDL could not be directly correlated with changes in Python
scripts right away.
I wonder how 'DirectoryServiceAgent.create_connection' method has
disappeared though without a notice :)


> The last definition above should surely be NTDSCONN_OPT_USE_NOTIFY
>
> These are only *hard* bugs - but what about "the intended workflow/usage"
> of these modules?
> Who takes ownership now?
>

I have no idea frankly said. For sure I am interested to work on this in
near future. Unfortunately at the moment
I am not proficient in this code at the moment

Cheers,
Kamen

More information about the samba-technical mailing list