[PATCH] Enable Samba KCC for 4.5

Andreas Schneider asn at samba.org
Thu Jun 30 05:57:46 UTC 2016

On Thursday, 30 June 2016 12:48:52 CEST Garming Sam wrote:
> Hi,

Hi Garming,

> I propose that we should enable the python samba KCC for 4.5. For any
> reasonably sized domain, the fully connected topology where every DC
> talks to every DC causes quite a big performance hit. One domain we
> encountered which uses the new KCC, appeared to have large replication
> pulses when just a lone DC was introduced briefly with the old KCC and
> subsequently crippled the domain. The new KCC, unlike the old one
> actually obeys site link restrictions and most of the improvement comes
> from the intersite replication code I wrote when I worked on this
> originally.
> We're still aware of shortcomings and are hoping to do a bit more work
> to possibly address some of them or at least investigate them, but many
> of those cases are when DCs are down or missing or when links slowly
> accumulate over time. In the case of link accumulation, it would still
> take a long time before it got as worse as the original KCC however and
> it should be easily fixed by wiping all connections from the domain and
> rebuilding from scratch. The trouble is not the fear of over-connecting
> domains, but under-connecting them and failing to get replication
> changes to everybody. So far, the domains we have observed have failed
> to demonstrate any noticeable issues and we know of people running it
> without any major issues.

I'm working on support for MIT Kerberos in Samba AD DC since more than two 
years now. Till now I didn't get the OK to push all my work upstream and then 
fix things which do not work upstream.

The samba_kcc stuff is already upstream but you say that it is not fully 
working yet and you want to turn it on now.

I still see issues in 'make test' which seem to be KCC related and till they 
are fixed we should not enable it by default. As our debug system is horribly 
broken and I just started to look into that to get more useful output in our 
tools you have to check if it is KCC related or not.

Forwarded the call to execute the KCC
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: 

Forwarded the call to execute the KCC
Consistency check on localdc successful.
../source4/rpc_server/drsuapi/getncchanges.c:1792: DsGetNCChanges 2nd 
replication on DN CN=Administrator,CN=Users,DC=samba,DC=example,DC=com newer 
highwatermark (last_dn (null))
Forwarded the call to execute the KCC
Consistency check on rodc successful.
../source4/rpc_server/drsuapi/getncchanges.c:1778: DsGetNCChanges 2nd 
replication on different DN CN=Configuration,DC=samba,DC=example,DC=com 
CN=Administrator,CN=Users,DC=samba,DC=example,DC=com (last_dn (null))

make -j test TESTS="krb5.kdc"

> In domains where it might fail to work, at worst they can turn on the
> old KCC and get the old replication topology. But for larger domains, it
> seems a necessary change, and even an accidental mix of the two KCC can
> do some real damage.

It is the same with the MIT KDC ... I'm still working on that fixing and 
improving it.

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list