[PATCH] Enable Samba KCC for 4.5

[Denis Cardon]

Hi Andreas and everyone,

>> I propose that we should enable the python samba KCC for 4.5. For any
>> reasonably sized domain, the fully connected topology where every DC
>> talks to every DC causes quite a big performance hit. One domain we
>> encountered which uses the new KCC, appeared to have large replication
>> pulses when just a lone DC was introduced briefly with the old KCC and
>> subsequently crippled the domain. The new KCC, unlike the old one
>> actually obeys site link restrictions and most of the improvement comes
>> from the intersite replication code I wrote when I worked on this
>> originally.
>>
>> We're still aware of shortcomings and are hoping to do a bit more work
>> to possibly address some of them or at least investigate them, but many
>> of those cases are when DCs are down or missing or when links slowly
>> accumulate over time. In the case of link accumulation, it would still
>> take a long time before it got as worse as the original KCC however and
>> it should be easily fixed by wiping all connections from the domain and
>> rebuilding from scratch. The trouble is not the fear of over-connecting
>> domains, but under-connecting them and failing to get replication
>> changes to everybody. So far, the domains we have observed have failed
>> to demonstrate any noticeable issues and we know of people running it
>> without any major issues.
>
> I'm working on support for MIT Kerberos in Samba AD DC since more than two
> years now. Till now I didn't get the OK to push all my work upstream and then
> fix things which do not work upstream.

I am not competent on that point, so I won't say anything except that it 
would indeed be great to have samba-dc package on Redhat/CentOS having 
something more than just a README. And I guess MIT kerberos support is 
one of the blocking issue :-)

> The samba_kcc stuff is already upstream but you say that it is not fully
> working yet and you want to turn it on now.

I agree with Garmin that the current default may only be ok for 
simple/basic networks, but in any larger network it is very misleading. 
Indeed for larger domain, sysadmins are used to configure sites, links 
and subnets but the current default config just ignore all of that and 
makes people wonder why it is not working.

Moreover, full-meshed replication runs amok in star topology scenarios 
where branch sites cannot see each other and firewall are configured 
with no icmp unreachable responses... Actually It does generate 
consulting work for us to clean up the mess, so it is good for business, 
but quite frustrating for domain admins.

We've been using the new samba_kcc since samba 4.3.0 (it was actually a 
prerequisite for one of our project last september). The new KCC does 
work and gives something corresponding to the topology designed in sites 
& services mmc. It gives us satisfaction with domains from a few sites 
to dozens of sites. Currently the biggest samba_kcc managed domain we 
have has 40+ sites and DCs.

To give another example I talked about at sambaXP, we migrated a domain 
9 months ago with 25 DCs on 24 sites, star topology on satlinks 2mbps 
with 500ms latency... and the new kcc does the job.

There are a few things that could be improved, like a repadmin.exe 
equivalent of delrepsto/addrepsto in samba-tool. But it is not specific 
to the new kcc. Another shortcoming (might be changed in newest version, 
I didn't test yet) is that leftover repsFrom/repsTo might not be deleted 
when not needed anymore.

my 2cts,

Denis

> I still see issues in 'make test' which seem to be KCC related and till they
> are fixed we should not enable it by default. As our debug system is horribly
> broken and I just started to look into that to get more useful output in our
> tools you have to check if it is KCC related or not.
>
>
> Forwarded the call to execute the KCC
> SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INVALID_PARAMETER
>
> Forwarded the call to execute the KCC
> Consistency check on localdc successful.
> ../source4/rpc_server/drsuapi/getncchanges.c:1792: DsGetNCChanges 2nd
> replication on DN CN=Administrator,CN=Users,DC=samba,DC=example,DC=com newer
> highwatermark (last_dn (null))
> Forwarded the call to execute the KCC
> Consistency check on rodc successful.
> ../source4/rpc_server/drsuapi/getncchanges.c:1778: DsGetNCChanges 2nd
> replication on different DN CN=Configuration,DC=samba,DC=example,DC=com
> CN=Administrator,CN=Users,DC=samba,DC=example,DC=com (last_dn (null))
>
>
> make -j test TESTS="krb5.kdc"
>
>
>> In domains where it might fail to work, at worst they can turn on the
>> old KCC and get the old replication topology. But for larger domains, it
>> seems a necessary change, and even an accidental mix of the two KCC can
>> do some real damage.
>
> It is the same with the MIT KDC ... I'm still working on that fixing and
> improving it.
>
>
>
> 	-- andreas
>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr