[PATCHES] Add samba-tool visualize

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Sun Jan 7 21:42:40 UTC 2018 

At times active directory can be terribly confusing with so many DCs
all busily doing amazing things that do not necessarily seem to lead
to successful replication. At these times you might be tempted to try
`samba-tool drs show-repl`, revealing a large clump of text that seems
to trace a delicate path between, but not including, human-readable
and machine-readable. At this point you might wish for a higher level
overview -- some means to grasp the situation as a whole -- so that
even if you proceed to panic you have a fuller narrative about why you
are panicking. Perhaps what you need is `samba-tool visualize`,
provided by this patchset. Actually, you probably need more of it than
is provided here -- and there is more, but 4.8 won't wait for it.

The tool has two modes of operation, '--distance' and '--dot'. '--dot'
generates Graphviz dot files that describe a graph; you need dot or
xdot to actually view the graph. It was stolen from samba_kcc which
can under duress be made to draw replication graphs a lot like those
of `samba-tool visualize ntdsconn --dot`. The default mode, '--distance'
draws a distance matrix or heatmap. Here's a very simple example, from
the tests:

| $ bin/samba-tool visualize ntdsconn -H $SERVER -U $USER%$PASS --color=no --shorten-names
| 
| NTDS Connections known to CN=LOCALVAMPIREDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
|                           destination
|                      ,--- *,CN=LOCALDC+
|                      |,-- *,CN=LOCALVAMPIREDC+
|               source ||,- *,CN=PROMOTEDVDC+
|        *,CN=LOCALDC+ 0--
| *,CN=LOCALVAMPIREDC+ 10-
|    *,CN=PROMOTEDVDC+ --0
| 
| '*' stands for 'CN=NTDS Settings'
| '+' stands for ',CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com'
| 
| Data can get from source to destination in the indicated number of steps.
| 0 means zero steps (it is the same DC)
| 1 means a direct link
| 2 means a transitive link involving two steps (i.e. one intermediate DC)
| - means there is no connection, even through other DCs

That is telling you that the only connection is from LOCALVAMPIREDC to
LOCALDC, which is one of situations in which you might reasonably
panic if you didn't know that it was a test environment of dubious
origin that had only been up for 3 seconds. But supposing you were
panicking, one thing you might want to know is what the other DCs
thought was going on. The above picture is LOCALVAMPIREDC's point of
view. To ask all the DCs at once, you add '--talk-to-remote' (or
'-r').

| $ bin/samba-tool visualize ntdsconn -H $SERVER -U $USER%$PASS --color=no --shorten-names -r
| 
| NTDS Connections known to each destination DC
|                           destination
|                      ,--- *,CN=LOCALDC+
|                      |,-- *,CN=LOCALVAMPIREDC+
|               source ||,- *,CN=PROMOTEDVDC+
|        *,CN=LOCALDC+ 0--
| *,CN=LOCALVAMPIREDC+ 10-
|    *,CN=PROMOTEDVDC+ 210

which shows us that things are not *quite* so bad.

If you ask about repsFrom/To objects, you should use '-r', because
these are not replicated. And I'll add '--utf8' to test your email
clients:

| $ bin/samba-tool visualize reps -H $SERVER -U $USER%$PASS --shorten-names -r --utf8
|
| RepsFrom objects for CONFIGURATION
|                         destination
|                    ╭─── CN=LOCALDC+
|                    │╭── CN=LOCALVAMPIREDC+
|             source ││╭─ CN=PROMOTEDVDC+
|        CN=LOCALDC+ ·11
| CN=LOCALVAMPIREDC+ 1·1
|    CN=PROMOTEDVDC+ 21·
| 
| '+' stands for ',CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com'
| 
| Data can get from source to destination in the indicated number of steps.
| · means zero steps (it is the same DC)
| 1 means a direct link
| 2 means a transitive link involving two steps (i.e. one intermediate DC)
| - means there is no connection, even through other DCs

With '--color=yes' (or '--color=auto' in a terminal, or
'--color-scheme=<any of a number of undocumented strings>'), you get
colour output in the style of a heatmap. 'No' is currently default. I
can't do colour here, but are some pictures at

https://www.samba.org/~dbagnall/visualize/

along with some of the dot graphs.

You might be wondering why this is a whole new sub-tree, and not
something like `samba-tool drs visualize`. The main reason is this
quite experimental and it is nicer to experiment when you know there
are no easily breakable things around. As you will see from the
patches, this touches few existing files. Another reason is I'd like
there to be non-DRS visualisations which can at least start their
lives under `samba-tool visualize`.

Please review, etc.

Douglas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: visualize.patch
Type: text/x-patch
Size: 94120 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180108/5816f837/visualize.bin>

More information about the samba-technical mailing list