More KCC patches

Fri Jul 10 06:43:48 UTC 2015

hi Denis,

On 10/07/15 10:09, Denis Cardon wrote:
> G'Day Douglas and Andrew,
> 
>>>> I believe so, and thank you for trying!
>>>
>>> You are welcome. I am eager to see it working: I have a client who is
>>> deploying Samba4 on a primary school network and currently have more
>>> than 55 DCs on as many sites in one domain. I am quite wary about the
>>> current full meshed replication topology that the current KCC is doing,
>>> and I am eager to help getting samba_kcc to work :-)
>>
>> I did a new checkout of kcc-intersite-29 branch and found time today to
>> look deeper into the issue. Actually I realized that I had no bridgehead
>> defined for IP transport on the second site. Former kcc didn't care, but
>> the new one take that into account.

That sounds like a regression, though I am not quite sure what it
means to have a bridgehead defined on a site. It isn't what we have
been doing.

> * 2-DCs domain x2 : no regression (two differents domains, each with two
> sites). samba_kcc is more stringeant on the configuration, and seems not
> to create the ntdsconnection if there is no bridgehead server defined.
> Other than that it works fine.
> 
> * 1-RWDC + 2-RODC domain : it didn't work that well (but former kcc is
> not doing well in this scenario either). Running samba_kcc on the RWDC
> did build a inbound connexion from one of the RODC in the ADS&S console
> (but not the other one...) and didn't create the outbound connexions to
> the RODCs.

To clarify -- when you say a server creates an "inbound connection",
do you mean a connection that allows it to replicate from another
server? If so this sounds a bit backwards. Are these all on the same
site?

> However "samba-tool drs showrepl" does not show any inbound connexion
> from RODC (is it only using the repsfrom repsto attributes?). I have
> seen other strange stuff to cleanup on that domain, so don't worry too
> much about that spurious inbound connexion.
> 
> On the RODC, samba_kcc crashes :
> [root at srvads-retz.mache ~]# samba_kcc
> Traceback (most recent call last):
>   File "/usr/local/samba/sbin/samba_kcc", line 311, in <module>
>     attempt_live_connections=opts.attempt_live_connections)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
> line 2534, in run
>     self.remove_unneeded_ntdsconn(all_connected)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
> line 589, in remove_unneeded_ntdsconn
>     self._mark_unneeded_intersite_ntdsconn()
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/kcc/__init__.py",
> line 549, in _mark_unneeded_intersite_ntdsconn
>     for site in self.sites_table.values():
> AttributeError: 'KCC' object has no attribute 'sites_table'

OK that should be fixed now in kcc-intersite-29. It seems our tests
managed to avoid running that bit. Would it be possible to send an
ldif file of this set-up that we could add to the test suite?

> After deleting the inbound ntdsconnexion on the two RODCs, they were not
> automagically rebuild and I had to create them by hand. Replication is
> back to normal afterward.
> 
> Tomorow I'll continue validating the new samba_kcc on a 3-RWDC domain.
> 
> Is it possible to have the samba_kcc modification cherrypicked as a
> patchset that could be applied on a 4.2.2 tree? It will make it easier
> for me to have candidates with larger network for validation.

I'll have a go. I didn't manage to get to it today.

> By the way, is it necessary to updates all the DCs in the domain to run
> samba_kcc, especially with --readonly and --export-ldif or
> --dot-file-dir options. Is it even necessary to join the DC to the
> domain if one uses the -H ldap:// option?

I don't *think* it should be necessary to update all the DCs in these
cases. I am not sure about the joining with -H ldap question.

Me and Garming have done some more work in the kcc-intersite-29
branch, which may improve the results you get.

thanks,
Douglas