[PATCH][WIP] Make the Samba AD DC multi-process

Stefan Metzmacher metze at samba.org
Tue Dec 13 16:37:08 UTC 2016


Hi Andrew,

>> I don't see my concerns of my previous mails addressed,
>> so please don't push it as is.
>>
>> I can try to explain them again if required later today.
> 
> I'm really sorry to have to trouble you for them, because I've been
> working hard to address them.
> 
>  - I have added an smb.conf option for the lsa over netlogon behaviour
>  - I have added tests for that option
>  - I've explained that we can't conditionally check for incorrect
> association groups until we know which endpoint we bound to

This is wrong we know the endpoint from the time we do the
listen on the socket. Or am I missing something?

call->conn->endpoint should be available before we even enter
dcesrv_bind() everything else is a bug that needs to be fixed.
So please keep the assoc_group checks in one place.

We also don't need any check in dcesrv_handle_fetch()
as there won't be any handles if they're not created.

We also need to make sure we explicitly set
ep->use_single_process = true; if the lsa interface
tries to use the netlogon named pipe.

And we may need to use DLIST_ADD_END() instead of
DLIST_ADD() in some places and also check
ep->use_single_process if find_endpoint() found an endpoint.

Before calling dcesrv_add_ep() we may reset e->use_single_process
if this_model_ops == model_ops.

Maybe it would be good to have (temporary) DEBUG() statements
which print endpoint details and all available interfaces
in dcesrv_add_ep(). If we would have such code I'd like to
see the output of it in various situations, with all combinations
of possible process models and lsaovernetlogon=yes/no.
This would it much easier to judge if I can be happy with the
logic you've implemented.

>  - I've changed to specifying flags, not just the use of handles
>  - I've explained why the dcerpc interface should and does declare
> about the use of handles, not the ignoring of association groups,
> because per your request, only when all interfaces on an endpoint don't
> use handles, do we ignore association groups.  (And the DCE/RPC server
> could track this some other way if it wanted). 
>  - I've explained that unused records are removed in the same way as
> the old code, on startup.

That's not true. You removed memcache_delete() without a replacement
and challenge_cache_fetch() is used if the client actually
switches the connection between netr_ServerReqChallenge()
and netr_ServerAuthenticate(), otherwise we'll use
dce_call->context->private_data to get the challenge.

I also guess some of the new includes are not required
anymore, at least "replace.h" comes already via
"includes.h" and #include "system/filesys.h" should
follow includes.h.

And I think netlogon_cache_entry should be moved to
schannel.idl next to netlogon_creds_CredentialState.

>  - And, as you have seen from Garming, we have shown this makes a
> significant improvement to the use case:  high-load 802.1x (NTLM)
> authentication via winbind on domain members. 
> 
> We have a customer who suffers significant load on the DCs after a wifi
> outage, because the DC needs to suddenly re-authenticate all the users.
>  That is why we are working on this. 
>
> I've re-read your last mail, and I'm honestly at my wits end as what
> more you want, so in the desperate hope that we are simply in
> miscommunication, can you please make clear again what specific changes
> you want?  I would really like to move on from this, and lock it in for
> 4.6.

I also hope we'll have it in 4.6.

Thanks for your patience.
metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/ee4b2a15/signature.sig>


More information about the samba-technical mailing list