GetNCChanges DRS_GET_TGT

Andrew Bartlett abartlet at samba.org
Fri Mar 3 17:59:39 UTC 2017 

On Fri, 2017-03-03 at 11:17 +0100, Stefan Metzmacher wrote:
> Am 03.03.2017 um 09:03 schrieb Andrew Bartlett:
> > G'Day Metze,
> > 
> > Recently we diagnosed with a client an interesting replication
> > corruption, due to the spread of replication over multiple chunks,
> > but
> > the delay of link values until the end. 
> > 
> > Because we don't implement DRS_GET_TGT the DRS server simply delays
> > all
> > links until the end of replication, but that means they do not get
> > committed until after the object they relate to.  This means they
> > can
> > be lost if the replication cycle breaks for any reason.
> 
> Why do you think that?
> The destination dsa should typically just retry in the next time.
> As the source dsa only returns the final highwatermark and
> uptodatevector
> in the final response and these reflect the state at the start of the
> cycle.

OK, so this may not be as serious as I feared.

In the meantime however the object is stored in sam.ldb, within the the
transaction for the objects.  We have a real-world client where we have
managed to have linked values be seriously out of sync between DCs.  

This client has had serious replication issues, so broken cycles are
quite likely.  Much of the work to improve the O(n^2) behaviour in our
linked attribute processing has been driven by their network, because
when the client-side replication engine is busy and locked in a
transaction, everything else becomes rather messy :-)

> > As such, I think (and I'm sure you agree) Samba needs to implement
> > DRS_GET_TGT, and I my team at Catalyst will probably take this on
> > very
> > soon.  This mail is as a heads-up, and to ensure we know about any
> > of
> > your great work in progress, in case we can build on
> > that.  Otherwise
> > my gut feeling is that the GET_ANC patch should serve as a good
> > basis.
> 
> It would be good to correctly implement the replication of linked
> attributes similar as Windows. It can certainly happen
> that an object has missing links for the time until the next
> replication.
> In that case the object may also violate the schema restrictions
> and miss group memberships.

This is pretty much what we have seen.

Thanks for the feedback!

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list