[PATCH][WIP] Make the Samba AD DC multi-process

Andrew Bartlett abartlet at samba.org
Wed Nov 30 18:28:25 UTC 2016 

On Wed, 2016-11-30 at 07:38 +0100, Stefan Metzmacher wrote:
> Am 21.11.2016 um 05:01 schrieb Andrew Bartlett:
> > 
> > On Fri, 2016-10-14 at 20:01 +1300, Andrew Bartlett wrote:
> > > 
> > > G'Day,
> > > 
> > > Attached is a WIP set of patches to make Samba connect to ldb
> > > faster,
> > > for the @ATTRIBUTES load, used until we can read the full schema.
> > > 
> > > This avoids some O(n^2) behaviour for the 600 attributes in the
> > > default
> > > schema, which was taking 5% of the time to run a simple
> > > ldbsearch.
> > > 
> > > Please consider, but don't push until I run the beachmarks.
> > 
> > Attached is some work in progress to do this, and to allow the LDAP
> > and
> > NETLOGON server to be multi-process. 
> > 
> > This breaks the RPC protocol by not checking the assoc_group when
> > we
> > accept a bind to the NETLOGON rpc server in the AD DC.
> > 
> > It also breaks the current link between the lsarpc services and
> > netlogon, which currently allow a bind on either pipe to access
> > these
> > services. 
> > 
> > I've tried to make that all as generic as possible.
> > 
> > Please comment.  I don't plan to push this without coming back to
> > the
> > list. 
> 
> It will take some time to go through this...
> 
> One comment on hash_computer_name() now:
> - what's the point of doing such complex logic
>   using hmac_sha256?
> - I'd just use tdb_jenkins_hash()

We didn't want to have the alternate comment:
 - 'Why do you use an insecure hash that an attacker could target to
cause a DoS?'

The idea was just to make it relatively hard for an unauthenticated
attacker to deterministically bump a real device from the pool.  I'm
not fixated on the particular hash beyond that and general 'avoid
insecure hashes in new code' however.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list