[PATCH][WIP] Make the Samba AD DC multi-process
Stefan Metzmacher
metze at samba.org
Tue Dec 13 16:37:08 UTC 2016
Hi Andrew,
>> I don't see my concerns of my previous mails addressed,
>> so please don't push it as is.
>>
>> I can try to explain them again if required later today.
>
> I'm really sorry to have to trouble you for them, because I've been
> working hard to address them.
>
> - I have added an smb.conf option for the lsa over netlogon behaviour
> - I have added tests for that option
> - I've explained that we can't conditionally check for incorrect
> association groups until we know which endpoint we bound to
This is wrong we know the endpoint from the time we do the
listen on the socket. Or am I missing something?
call->conn->endpoint should be available before we even enter
dcesrv_bind() everything else is a bug that needs to be fixed.
So please keep the assoc_group checks in one place.
We also don't need any check in dcesrv_handle_fetch()
as there won't be any handles if they're not created.
We also need to make sure we explicitly set
ep->use_single_process = true; if the lsa interface
tries to use the netlogon named pipe.
And we may need to use DLIST_ADD_END() instead of
DLIST_ADD() in some places and also check
ep->use_single_process if find_endpoint() found an endpoint.
Before calling dcesrv_add_ep() we may reset e->use_single_process
if this_model_ops == model_ops.
Maybe it would be good to have (temporary) DEBUG() statements
which print endpoint details and all available interfaces
in dcesrv_add_ep(). If we would have such code I'd like to
see the output of it in various situations, with all combinations
of possible process models and lsaovernetlogon=yes/no.
This would it much easier to judge if I can be happy with the
logic you've implemented.
> - I've changed to specifying flags, not just the use of handles
> - I've explained why the dcerpc interface should and does declare
> about the use of handles, not the ignoring of association groups,
> because per your request, only when all interfaces on an endpoint don't
> use handles, do we ignore association groups. (And the DCE/RPC server
> could track this some other way if it wanted).
> - I've explained that unused records are removed in the same way as
> the old code, on startup.
That's not true. You removed memcache_delete() without a replacement
and challenge_cache_fetch() is used if the client actually
switches the connection between netr_ServerReqChallenge()
and netr_ServerAuthenticate(), otherwise we'll use
dce_call->context->private_data to get the challenge.
I also guess some of the new includes are not required
anymore, at least "replace.h" comes already via
"includes.h" and #include "system/filesys.h" should
follow includes.h.
And I think netlogon_cache_entry should be moved to
schannel.idl next to netlogon_creds_CredentialState.
> - And, as you have seen from Garming, we have shown this makes a
> significant improvement to the use case: high-load 802.1x (NTLM)
> authentication via winbind on domain members.
>
> We have a customer who suffers significant load on the DCs after a wifi
> outage, because the DC needs to suddenly re-authenticate all the users.
> That is why we are working on this.
>
> I've re-read your last mail, and I'm honestly at my wits end as what
> more you want, so in the desperate hope that we are simply in
> miscommunication, can you please make clear again what specific changes
> you want? I would really like to move on from this, and lock it in for
> 4.6.
I also hope we'll have it in 4.6.
Thanks for your patience.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161213/ee4b2a15/signature.sig>
More information about the samba-technical
mailing list