[PATCH] Enable Samba KCC for 4.5

Andrew Bartlett abartlet at samba.org
Sun Jul 3 22:36:00 UTC 2016

On Thu, 2016-06-30 at 11:12 +0200, Denis Cardon wrote:
> I agree with Garmin that the current default may only be ok for 
> simple/basic networks, but in any larger network it is very
> misleading. 
> Indeed for larger domain, sysadmins are used to configure sites,
> links 
> and subnets but the current default config just ignore all of that
> and 
> makes people wonder why it is not working.
> Moreover, full-meshed replication runs amok in star topology
> scenarios 
> where branch sites cannot see each other and firewall are configured 
> with no icmp unreachable responses... Actually It does generate 
> consulting work for us to clean up the mess, so it is good for
> business, 
> but quite frustrating for domain admins.

Thanks Denis.

This puts the discussion very well.  The new KCC changes us from a
essentially 'can't fail' KCC connecting everything, to a smart KCC that
can actually scale to a large network. 

As you say, the old code is quite destructive to large networks, we
need to get rid of it urgently, because failing to use it, even on a
single DC, can cause a replication storm large enough to bring down a

I'm quite confident that the new KCC is an improvement, and unlike the
old code it is extensively tested!  Like all code, it can be improved
further, but the primary identified failing is that, like the old code,
it never cleans up replication links once created. 

Thankfully our team at Catalyst has some budget to address some of
these concerns as bug-fixes.

As we have addressed a number of other major scaling constraints in
replication, and this is a significant marginal improvement, I'm really
keen to get this in to Samba 4.5.  My gut feeling is that we have
already doubled our maximum scale!


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list