[PATCH][WIP] Make the Samba AD DC multi-process
abartlet at samba.org
Wed Nov 30 18:28:25 UTC 2016
On Wed, 2016-11-30 at 07:38 +0100, Stefan Metzmacher wrote:
> Am 21.11.2016 um 05:01 schrieb Andrew Bartlett:
> > On Fri, 2016-10-14 at 20:01 +1300, Andrew Bartlett wrote:
> > >
> > > G'Day,
> > >
> > > Attached is a WIP set of patches to make Samba connect to ldb
> > > faster,
> > > for the @ATTRIBUTES load, used until we can read the full schema.
> > >
> > > This avoids some O(n^2) behaviour for the 600 attributes in the
> > > default
> > > schema, which was taking 5% of the time to run a simple
> > > ldbsearch.
> > >
> > > Please consider, but don't push until I run the beachmarks.
> > Attached is some work in progress to do this, and to allow the LDAP
> > and
> > NETLOGON server to be multi-process.
> > This breaks the RPC protocol by not checking the assoc_group when
> > we
> > accept a bind to the NETLOGON rpc server in the AD DC.
> > It also breaks the current link between the lsarpc services and
> > netlogon, which currently allow a bind on either pipe to access
> > these
> > services.
> > I've tried to make that all as generic as possible.
> > Please comment. I don't plan to push this without coming back to
> > the
> > list.
> It will take some time to go through this...
> One comment on hash_computer_name() now:
> - what's the point of doing such complex logic
> using hmac_sha256?
> - I'd just use tdb_jenkins_hash()
We didn't want to have the alternate comment:
- 'Why do you use an insecure hash that an attacker could target to
cause a DoS?'
The idea was just to make it relatively hard for an unauthenticated
attacker to deterministically bump a real device from the pool. I'm
not fixated on the particular hash beyond that and general 'avoid
insecure hashes in new code' however.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical