# define the KCC object
#
# Copyright (C) Dave Craft 2011
# Copyright (C) Andrew Bartlett 2015
#
# Andrew Bartlett's alleged work performed by his underlings Douglas
# Bagnall and Garming Sam.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
import random
import uuid
from functools import cmp_to_key
import itertools
from samba import unix2nttime, nttime2unix
from samba import ldb, dsdb, drs_utils
from samba.auth import system_session
from samba.samdb import SamDB
from samba.dcerpc import drsuapi, misc
from samba.kcc.kcc_utils import Site, Partition, Transport, SiteLink
from samba.kcc.kcc_utils import NCReplica, NCType, nctype_lut, GraphNode
from samba.kcc.kcc_utils import RepsFromTo, KCCError, KCCFailedObject
from samba.kcc.graph import convert_schedule_to_repltimes
from samba.ndr import ndr_pack
from samba.kcc.graph_utils import verify_and_dot
from samba.kcc import ldif_import_export
from samba.kcc.graph import setup_graph, get_spanning_tree_edges
from samba.kcc.graph import Vertex
from samba.kcc.debug import DEBUG, DEBUG_FN, logger
from samba.kcc import debug
from samba.common import cmp
def sort_dsa_by_gc_and_guid(dsa1, dsa2):
"""Helper to sort DSAs by guid global catalog status
GC DSAs come before non-GC DSAs, other than that, the guids are
sorted in NDR form.
:param dsa1: A DSA object
:param dsa2: Another DSA
:return: -1, 0, or 1, indicating sort order.
"""
if dsa1.is_gc() and not dsa2.is_gc():
return -1
if not dsa1.is_gc() and dsa2.is_gc():
return +1
return cmp(ndr_pack(dsa1.dsa_guid), ndr_pack(dsa2.dsa_guid))
def is_smtp_replication_available():
"""Can the KCC use SMTP replication?
Currently always returns false because Samba doesn't implement
SMTP transfer for NC changes between DCs.
:return: Boolean (always False)
"""
return False
class KCC(object):
"""The Knowledge Consistency Checker class.
A container for objects and methods allowing a run of the KCC. Produces a
set of connections in the samdb for which the Distributed Replication
Service can then utilize to replicate naming contexts
:param unix_now: The putative current time in seconds since 1970.
:param readonly: Don't write to the database.
:param verify: Check topological invariants for the generated graphs
:param debug: Write verbosely to stderr.
:param dot_file_dir: write diagnostic Graphviz files in this directory
"""
def __init__(self, unix_now, readonly=False, verify=False, debug=False,
dot_file_dir=None):
"""Initializes the partitions class which can hold
our local DCs partitions or all the partitions in
the forest
"""
self.part_table = {} # partition objects
self.site_table = {}
self.ip_transport = None
self.sitelink_table = {}
self.dsa_by_dnstr = {}
self.dsa_by_guid = {}
self.get_dsa_by_guidstr = self.dsa_by_guid.get
self.get_dsa = self.dsa_by_dnstr.get
# TODO: These should be backed by a 'permanent' store so that when
# calling DRSGetReplInfo with DS_REPL_INFO_KCC_DSA_CONNECT_FAILURES,
# the failure information can be returned
self.kcc_failed_links = {}
self.kcc_failed_connections = set()
# Used in inter-site topology computation. A list
# of connections (by NTDSConnection object) that are
# to be kept when pruning un-needed NTDS Connections
self.kept_connections = set()
self.my_dsa_dnstr = None # My dsa DN
self.my_dsa = None # My dsa object
self.my_site_dnstr = None
self.my_site = None
self.samdb = None
self.unix_now = unix_now
self.nt_now = unix2nttime(unix_now)
self.readonly = readonly
self.verify = verify
self.debug = debug
self.dot_file_dir = dot_file_dir
def load_ip_transport(self):
"""Loads the inter-site transport objects for Sites
:return: None
:raise KCCError: if no IP transport is found
"""
try:
res = self.samdb.search("CN=Inter-Site Transports,CN=Sites,%s" %
self.samdb.get_config_basedn(),
scope=ldb.SCOPE_SUBTREE,
expression="(objectClass=interSiteTransport)")
except ldb.LdbError as e2:
(enum, estr) = e2.args
raise KCCError("Unable to find inter-site transports - (%s)" %
estr)
for msg in res:
dnstr = str(msg.dn)
transport = Transport(dnstr)
transport.load_transport(self.samdb)
if transport.name == 'IP':
self.ip_transport = transport
elif transport.name == 'SMTP':
logger.debug("Samba KCC is ignoring the obsolete "
"SMTP transport.")
else:
logger.warning("Samba KCC does not support the transport "
"called %r." % (transport.name,))
if self.ip_transport is None:
raise KCCError("there doesn't seem to be an IP transport")
def load_all_sitelinks(self):
"""Loads the inter-site siteLink objects
:return: None
:raise KCCError: if site-links aren't found
"""
try:
res = self.samdb.search("CN=Inter-Site Transports,CN=Sites,%s" %
self.samdb.get_config_basedn(),
scope=ldb.SCOPE_SUBTREE,
expression="(objectClass=siteLink)")
except ldb.LdbError as e3:
(enum, estr) = e3.args
raise KCCError("Unable to find inter-site siteLinks - (%s)" % estr)
for msg in res:
dnstr = str(msg.dn)
# already loaded
if dnstr in self.sitelink_table:
continue
sitelink = SiteLink(dnstr)
sitelink.load_sitelink(self.samdb)
# Assign this siteLink to table
# and index by dn
self.sitelink_table[dnstr] = sitelink
def load_site(self, dn_str):
"""Helper for load_my_site and load_all_sites.
Put all the site's DSAs into the KCC indices.
:param dn_str: a site dn_str
:return: the Site object pertaining to the dn_str
"""
site = Site(dn_str, self.unix_now)
site.load_site(self.samdb)
# We avoid replacing the site with an identical copy in case
# somewhere else has a reference to the old one, which would
# lead to all manner of confusion and chaos.
guid = str(site.site_guid)
if guid not in self.site_table:
self.site_table[guid] = site
self.dsa_by_dnstr.update(site.dsa_table)
self.dsa_by_guid.update((str(x.dsa_guid), x)
for x in site.dsa_table.values())
return self.site_table[guid]
def load_my_site(self):
"""Load the Site object for the local DSA.
:return: None
"""
self.my_site_dnstr = ("CN=%s,CN=Sites,%s" % (
self.samdb.server_site_name(),
self.samdb.get_config_basedn()))
self.my_site = self.load_site(self.my_site_dnstr)
def load_all_sites(self):
"""Discover all sites and create Site objects.
:return: None
:raise: KCCError if sites can't be found
"""
try:
res = self.samdb.search("CN=Sites,%s" %
self.samdb.get_config_basedn(),
scope=ldb.SCOPE_SUBTREE,
expression="(objectClass=site)")
except ldb.LdbError as e4:
(enum, estr) = e4.args
raise KCCError("Unable to find sites - (%s)" % estr)
for msg in res:
sitestr = str(msg.dn)
self.load_site(sitestr)
def load_my_dsa(self):
"""Discover my nTDSDSA dn thru the rootDSE entry
:return: None
:raise: KCCError if DSA can't be found
"""
dn_query = "" % self.samdb.get_ntds_GUID()
dn = ldb.Dn(self.samdb, dn_query)
try:
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE,
attrs=["objectGUID"])
except ldb.LdbError as e5:
(enum, estr) = e5.args
DEBUG_FN("Search for dn '%s' [from %s] failed: %s. "
"This typically happens in --importldif mode due "
"to lack of module support." % (dn, dn_query, estr))
try:
# We work around the failure above by looking at the
# dsServiceName that was put in the fake rootdse by
# the --exportldif, rather than the
# samdb.get_ntds_GUID(). The disadvantage is that this
# mode requires we modify the @ROOTDSE dnq to support
# --forced-local-dsa
service_name_res = self.samdb.search(base="",
scope=ldb.SCOPE_BASE,
attrs=["dsServiceName"])
dn = ldb.Dn(self.samdb,
service_name_res[0]["dsServiceName"][0].decode('utf8'))
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE,
attrs=["objectGUID"])
except ldb.LdbError as e:
(enum, estr) = e.args
raise KCCError("Unable to find my nTDSDSA - (%s)" % estr)
if len(res) != 1:
raise KCCError("Unable to find my nTDSDSA at %s" %
dn.extended_str())
ntds_guid = misc.GUID(self.samdb.get_ntds_GUID())
if misc.GUID(res[0]["objectGUID"][0]) != ntds_guid:
raise KCCError("Did not find the GUID we expected,"
" perhaps due to --importldif")
self.my_dsa_dnstr = str(res[0].dn)
self.my_dsa = self.my_site.get_dsa(self.my_dsa_dnstr)
if self.my_dsa_dnstr not in self.dsa_by_dnstr:
debug.DEBUG_DARK_YELLOW("my_dsa %s isn't in self.dsas_by_dnstr:"
" it must be RODC.\n"
"Let's add it, because my_dsa is special!"
"\n(likewise for self.dsa_by_guid)" %
self.my_dsa_dnstr)
self.dsa_by_dnstr[self.my_dsa_dnstr] = self.my_dsa
self.dsa_by_guid[str(self.my_dsa.dsa_guid)] = self.my_dsa
def load_all_partitions(self):
"""Discover and load all partitions.
Each NC is inserted into the part_table by partition
dn string (not the nCName dn string)
:return: None
:raise: KCCError if partitions can't be found
"""
try:
res = self.samdb.search("CN=Partitions,%s" %
self.samdb.get_config_basedn(),
scope=ldb.SCOPE_SUBTREE,
expression="(objectClass=crossRef)")
except ldb.LdbError as e6:
(enum, estr) = e6.args
raise KCCError("Unable to find partitions - (%s)" % estr)
for msg in res:
partstr = str(msg.dn)
# already loaded
if partstr in self.part_table:
continue
part = Partition(partstr)
part.load_partition(self.samdb)
self.part_table[partstr] = part
def refresh_failed_links_connections(self, ping=None):
"""Ensure the failed links list is up to date
Based on MS-ADTS 6.2.2.1
:param ping: An oracle function of remote site availability
:return: None
"""
# LINKS: Refresh failed links
self.kcc_failed_links = {}
current, needed = self.my_dsa.get_rep_tables()
for replica in current.values():
# For every possible connection to replicate
for reps_from in replica.rep_repsFrom:
failure_count = reps_from.consecutive_sync_failures
if failure_count <= 0:
continue
dsa_guid = str(reps_from.source_dsa_obj_guid)
time_first_failure = reps_from.last_success
last_result = reps_from.last_attempt
dns_name = reps_from.dns_name1
f = self.kcc_failed_links.get(dsa_guid)
if f is None:
f = KCCFailedObject(dsa_guid, failure_count,
time_first_failure, last_result,
dns_name)
self.kcc_failed_links[dsa_guid] = f
else:
f.failure_count = max(f.failure_count, failure_count)
f.time_first_failure = min(f.time_first_failure,
time_first_failure)
f.last_result = last_result
# CONNECTIONS: Refresh failed connections
restore_connections = set()
if ping is not None:
DEBUG("refresh_failed_links: checking if links are still down")
for connection in self.kcc_failed_connections:
if ping(connection.dns_name):
# Failed connection is no longer failing
restore_connections.add(connection)
else:
connection.failure_count += 1
else:
DEBUG("refresh_failed_links: not checking live links because we\n"
"weren't asked to --attempt-live-connections")
# Remove the restored connections from the failed connections
self.kcc_failed_connections.difference_update(restore_connections)
def is_stale_link_connection(self, target_dsa):
"""Check whether a link to a remote DSA is stale
Used in MS-ADTS 6.2.2.2 Intrasite Connection Creation
Returns True if the remote seems to have been down for at
least two hours, otherwise False.
:param target_dsa: the remote DSA object
:return: True if link is stale, otherwise False
"""
failed_link = self.kcc_failed_links.get(str(target_dsa.dsa_guid))
if failed_link:
# failure_count should be > 0, but check anyways
if failed_link.failure_count > 0:
unix_first_failure = \
nttime2unix(failed_link.time_first_failure)
# TODO guard against future
if unix_first_failure > self.unix_now:
logger.error("The last success time attribute for "
"repsFrom is in the future!")
# Perform calculation in seconds
if (self.unix_now - unix_first_failure) > 60 * 60 * 2:
return True
# TODO connections.
# We have checked failed *links*, but we also need to check
# *connections*
return False
# TODO: This should be backed by some form of local database
def remove_unneeded_failed_links_connections(self):
# Remove all tuples in kcc_failed_links where failure count = 0
# In this implementation, this should never happen.
# Remove all connections which were not used this run or connections
# that became active during this run.
pass
def _ensure_connections_are_loaded(self, connections):
"""Load or fake-load NTDSConnections lacking GUIDs
New connections don't have GUIDs and created times which are
needed for sorting. If we're in read-only mode, we make fake
GUIDs, otherwise we ask SamDB to do it for us.
:param connections: an iterable of NTDSConnection objects.
:return: None
"""
for cn_conn in connections:
if cn_conn.guid is None:
if self.readonly:
cn_conn.guid = misc.GUID(str(uuid.uuid4()))
cn_conn.whenCreated = self.nt_now
else:
cn_conn.load_connection(self.samdb)
def _mark_broken_ntdsconn(self):
"""Find NTDS Connections that lack a remote
I'm not sure how they appear. Let's be rid of them by marking
them with the to_be_deleted attribute.
:return: None
"""
for cn_conn in self.my_dsa.connect_table.values():
s_dnstr = cn_conn.get_from_dnstr()
if s_dnstr is None:
DEBUG_FN("%s has phantom connection %s" % (self.my_dsa,
cn_conn))
cn_conn.to_be_deleted = True
def _mark_unneeded_local_ntdsconn(self):
"""Find unneeded intrasite NTDS Connections for removal
Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections.
Every DC removes its own unnecessary intrasite connections.
This function tags them with the to_be_deleted attribute.
:return: None
"""
# XXX should an RODC be regarded as same site? It isn't part
# of the intrasite ring.
if self.my_site.is_cleanup_ntdsconn_disabled():
DEBUG_FN("not doing ntdsconn cleanup for site %s, "
"because it is disabled" % self.my_site)
return
mydsa = self.my_dsa
try:
self._ensure_connections_are_loaded(mydsa.connect_table.values())
except KCCError:
# RODC never actually added any connections to begin with
if mydsa.is_ro():
return
local_connections = []
for cn_conn in mydsa.connect_table.values():
s_dnstr = cn_conn.get_from_dnstr()
if s_dnstr in self.my_site.dsa_table:
removable = not (cn_conn.is_generated() or
cn_conn.is_rodc_topology())
packed_guid = ndr_pack(cn_conn.guid)
local_connections.append((cn_conn, s_dnstr,
packed_guid, removable))
# Avoid "ValueError: r cannot be bigger than the iterable" in
# for a, b in itertools.permutations(local_connections, 2):
if (len(local_connections) < 2):
return
for a, b in itertools.permutations(local_connections, 2):
cn_conn, s_dnstr, packed_guid, removable = a
cn_conn2, s_dnstr2, packed_guid2, removable2 = b
if (removable and
s_dnstr == s_dnstr2 and
cn_conn.whenCreated < cn_conn2.whenCreated or
(cn_conn.whenCreated == cn_conn2.whenCreated and
packed_guid < packed_guid2)):
cn_conn.to_be_deleted = True
def _mark_unneeded_intersite_ntdsconn(self):
"""find unneeded intersite NTDS Connections for removal
Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections. The
intersite topology generator removes links for all DCs in its
site. Here we just tag them with the to_be_deleted attribute.
:return: None
"""
# TODO Figure out how best to handle the RODC case
# The RODC is ISTG, but shouldn't act on anyone's behalf.
if self.my_dsa.is_ro():
return
# Find the intersite connections
local_dsas = self.my_site.dsa_table
connections_and_dsas = []
for dsa in local_dsas.values():
for cn in dsa.connect_table.values():
if cn.to_be_deleted:
continue
s_dnstr = cn.get_from_dnstr()
if s_dnstr is None:
continue
if s_dnstr not in local_dsas:
from_dsa = self.get_dsa(s_dnstr)
# Samba ONLY: ISTG removes connections to dead DCs
if from_dsa is None or '\\0ADEL' in s_dnstr:
logger.info("DSA appears deleted, removing connection %s"
% s_dnstr)
cn.to_be_deleted = True
continue
connections_and_dsas.append((cn, dsa, from_dsa))
self._ensure_connections_are_loaded(x[0] for x in connections_and_dsas)
for cn, to_dsa, from_dsa in connections_and_dsas:
if not cn.is_generated() or cn.is_rodc_topology():
continue
# If the connection is in the kept_connections list, we
# only remove it if an endpoint seems down.
if (cn in self.kept_connections and
not (self.is_bridgehead_failed(to_dsa, True) or
self.is_bridgehead_failed(from_dsa, True))):
continue
# this one is broken and might be superseded by another.
# But which other? Let's just say another link to the same
# site can supersede.
from_dnstr = from_dsa.dsa_dnstr
for site in self.site_table.values():
if from_dnstr in site.rw_dsa_table:
for cn2, to_dsa2, from_dsa2 in connections_and_dsas:
if (cn is not cn2 and
from_dsa2 in site.rw_dsa_table):
cn.to_be_deleted = True
def _commit_changes(self, dsa):
if dsa.is_ro() or self.readonly:
for connect in dsa.connect_table.values():
if connect.to_be_deleted:
logger.info("TO BE DELETED:\n%s" % connect)
if connect.to_be_added:
logger.info("TO BE ADDED:\n%s" % connect)
if connect.to_be_modified:
logger.info("TO BE MODIFIED:\n%s" % connect)
# Perform deletion from our tables but perform
# no database modification
dsa.commit_connections(self.samdb, ro=True)
else:
# Commit any modified connections
dsa.commit_connections(self.samdb)
def remove_unneeded_ntdsconn(self, all_connected):
"""Remove unneeded NTDS Connections once topology is calculated
Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections
:param all_connected: indicates whether all sites are connected
:return: None
"""
self._mark_broken_ntdsconn()
self._mark_unneeded_local_ntdsconn()
# if we are not the istg, we're done!
# if we are the istg, but all_connected is False, we also do nothing.
if self.my_dsa.is_istg() and all_connected:
self._mark_unneeded_intersite_ntdsconn()
for dsa in self.my_site.dsa_table.values():
self._commit_changes(dsa)
def modify_repsFrom(self, n_rep, t_repsFrom, s_rep, s_dsa, cn_conn):
"""Update an repsFrom object if required.
Part of MS-ADTS 6.2.2.5.
Update t_repsFrom if necessary to satisfy requirements. Such
updates are typically required when the IDL_DRSGetNCChanges
server has moved from one site to another--for example, to
enable compression when the server is moved from the
client's site to another site.
The repsFrom.update_flags bit field may be modified
auto-magically if any changes are made here. See
kcc_utils.RepsFromTo for gory details.
:param n_rep: NC replica we need
:param t_repsFrom: repsFrom tuple to modify
:param s_rep: NC replica at source DSA
:param s_dsa: source DSA
:param cn_conn: Local DSA NTDSConnection child
:return: None
"""
s_dnstr = s_dsa.dsa_dnstr
same_site = s_dnstr in self.my_site.dsa_table
# if schedule doesn't match then update and modify
times = convert_schedule_to_repltimes(cn_conn.schedule)
if times != t_repsFrom.schedule:
t_repsFrom.schedule = times
# Bit DRS_ADD_REF is set in replicaFlags unconditionally
# Samba ONLY:
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_ADD_REF) == 0x0):
t_repsFrom.replica_flags |= drsuapi.DRSUAPI_DRS_ADD_REF
# Bit DRS_PER_SYNC is set in replicaFlags if and only
# if nTDSConnection schedule has a value v that specifies
# scheduled replication is to be performed at least once
# per week.
if cn_conn.is_schedule_minimum_once_per_week():
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_PER_SYNC) == 0x0):
t_repsFrom.replica_flags |= drsuapi.DRSUAPI_DRS_PER_SYNC
# Bit DRS_INIT_SYNC is set in t.replicaFlags if and only
# if the source DSA and the local DC's nTDSDSA object are
# in the same site or source dsa is the FSMO role owner
# of one or more FSMO roles in the NC replica.
if same_site or n_rep.is_fsmo_role_owner(s_dnstr):
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_INIT_SYNC) == 0x0):
t_repsFrom.replica_flags |= drsuapi.DRSUAPI_DRS_INIT_SYNC
# If bit NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT is set in
# cn!options, bit DRS_NEVER_NOTIFY is set in t.replicaFlags
# if and only if bit NTDSCONN_OPT_USE_NOTIFY is clear in
# cn!options. Otherwise, bit DRS_NEVER_NOTIFY is set in
# t.replicaFlags if and only if s and the local DC's
# nTDSDSA object are in different sites.
if ((cn_conn.options &
dsdb.NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT) != 0x0):
if (cn_conn.options & dsdb.NTDSCONN_OPT_USE_NOTIFY) == 0x0:
# WARNING
#
# it LOOKS as if this next test is a bit silly: it
# checks the flag then sets it if it not set; the same
# effect could be achieved by unconditionally setting
# it. But in fact the repsFrom object has special
# magic attached to it, and altering replica_flags has
# side-effects. That is bad in my opinion, but there
# you go.
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_NEVER_NOTIFY) == 0x0):
t_repsFrom.replica_flags |= \
drsuapi.DRSUAPI_DRS_NEVER_NOTIFY
elif not same_site:
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_NEVER_NOTIFY) == 0x0):
t_repsFrom.replica_flags |= drsuapi.DRSUAPI_DRS_NEVER_NOTIFY
# Bit DRS_USE_COMPRESSION is set in t.replicaFlags if
# and only if s and the local DC's nTDSDSA object are
# not in the same site and the
# NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION bit is
# clear in cn!options
if (not same_site and
(cn_conn.options &
dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION) == 0x0):
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_USE_COMPRESSION) == 0x0):
t_repsFrom.replica_flags |= drsuapi.DRSUAPI_DRS_USE_COMPRESSION
# Bit DRS_TWOWAY_SYNC is set in t.replicaFlags if and only
# if bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options.
if (cn_conn.options & dsdb.NTDSCONN_OPT_TWOWAY_SYNC) != 0x0:
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_TWOWAY_SYNC) == 0x0):
t_repsFrom.replica_flags |= drsuapi.DRSUAPI_DRS_TWOWAY_SYNC
# Bits DRS_DISABLE_AUTO_SYNC and DRS_DISABLE_PERIODIC_SYNC are
# set in t.replicaFlags if and only if cn!enabledConnection = false.
if not cn_conn.is_enabled():
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_DISABLE_AUTO_SYNC) == 0x0):
t_repsFrom.replica_flags |= \
drsuapi.DRSUAPI_DRS_DISABLE_AUTO_SYNC
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_DISABLE_PERIODIC_SYNC) == 0x0):
t_repsFrom.replica_flags |= \
drsuapi.DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
# If s and the local DC's nTDSDSA object are in the same site,
# cn!transportType has no value, or the RDN of cn!transportType
# is CN=IP:
#
# Bit DRS_MAIL_REP in t.replicaFlags is clear.
#
# t.uuidTransport = NULL GUID.
#
# t.uuidDsa = The GUID-based DNS name of s.
#
# Otherwise:
#
# Bit DRS_MAIL_REP in t.replicaFlags is set.
#
# If x is the object with dsname cn!transportType,
# t.uuidTransport = x!objectGUID.
#
# Let a be the attribute identified by
# x!transportAddressAttribute. If a is
# the dNSHostName attribute, t.uuidDsa = the GUID-based
# DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
#
# It appears that the first statement i.e.
#
# "If s and the local DC's nTDSDSA object are in the same
# site, cn!transportType has no value, or the RDN of
# cn!transportType is CN=IP:"
#
# could be a slightly tighter statement if it had an "or"
# between each condition. I believe this should
# be interpreted as:
#
# IF (same-site) OR (no-value) OR (type-ip)
#
# because IP should be the primary transport mechanism
# (even in inter-site) and the absence of the transportType
# attribute should always imply IP no matter if its multi-site
#
# NOTE MS-TECH INCORRECT:
#
# All indications point to these statements above being
# incorrectly stated:
#
# t.uuidDsa = The GUID-based DNS name of s.
#
# Let a be the attribute identified by
# x!transportAddressAttribute. If a is
# the dNSHostName attribute, t.uuidDsa = the GUID-based
# DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
#
# because the uuidDSA is a GUID and not a GUID-base DNS
# name. Nor can uuidDsa hold (s!parent)!a if not
# dNSHostName. What should have been said is:
#
# t.naDsa = The GUID-based DNS name of s
#
# That would also be correct if transportAddressAttribute
# were "mailAddress" because (naDsa) can also correctly
# hold the SMTP ISM service address.
#
nastr = "%s._msdcs.%s" % (s_dsa.dsa_guid, self.samdb.forest_dns_name())
if ((t_repsFrom.replica_flags &
drsuapi.DRSUAPI_DRS_MAIL_REP) != 0x0):
t_repsFrom.replica_flags &= ~drsuapi.DRSUAPI_DRS_MAIL_REP
t_repsFrom.transport_guid = misc.GUID()
# See (NOTE MS-TECH INCORRECT) above
# NOTE: it looks like these conditionals are pointless,
# because the state will end up as `t_repsFrom.dns_name1 ==
# nastr` in either case, BUT the repsFrom thing is magic and
# assigning to it alters some flags. So we try not to update
# it unless necessary.
if t_repsFrom.dns_name1 != nastr:
t_repsFrom.dns_name1 = nastr
if t_repsFrom.version > 0x1 and t_repsFrom.dns_name2 != nastr:
t_repsFrom.dns_name2 = nastr
if t_repsFrom.is_modified():
DEBUG_FN("modify_repsFrom(): %s" % t_repsFrom)
def get_dsa_for_implied_replica(self, n_rep, cn_conn):
"""If a connection imply a replica, find the relevant DSA
Given a NC replica and NTDS Connection, determine if the
connection implies a repsFrom tuple should be present from the
source DSA listed in the connection to the naming context. If
it should be, return the DSA; otherwise return None.
Based on part of MS-ADTS 6.2.2.5
:param n_rep: NC replica
:param cn_conn: NTDS Connection
:return: source DSA or None
"""
# XXX different conditions for "implies" than MS-ADTS 6.2.2
# preamble.
# It boils down to: we want an enabled, non-FRS connections to
# a valid remote DSA with a non-RO replica corresponding to
# n_rep.
if not cn_conn.is_enabled() or cn_conn.is_rodc_topology():
return None
s_dnstr = cn_conn.get_from_dnstr()
s_dsa = self.get_dsa(s_dnstr)
# No DSA matching this source DN string?
if s_dsa is None:
return None
s_rep = s_dsa.get_current_replica(n_rep.nc_dnstr)
if (s_rep is not None and
s_rep.is_present() and
(not s_rep.is_ro() or n_rep.is_partial())):
return s_dsa
return None
def translate_ntdsconn(self, current_dsa=None):
"""Adjust repsFrom to match NTDSConnections
This function adjusts values of repsFrom abstract attributes of NC
replicas on the local DC to match those implied by
nTDSConnection objects.
Based on [MS-ADTS] 6.2.2.5
:param current_dsa: optional DSA on whose behalf we are acting.
:return: None
"""
ro = False
if current_dsa is None:
current_dsa = self.my_dsa
if current_dsa.is_ro():
ro = True
if current_dsa.is_translate_ntdsconn_disabled():
DEBUG_FN("skipping translate_ntdsconn() "
"because disabling flag is set")
return
DEBUG_FN("translate_ntdsconn(): enter")
current_rep_table, needed_rep_table = current_dsa.get_rep_tables()
# Filled in with replicas we currently have that need deleting
delete_reps = set()
# We're using the MS notation names here to allow
# correlation back to the published algorithm.
#
# n_rep - NC replica (n)
# t_repsFrom - tuple (t) in n!repsFrom
# s_dsa - Source DSA of the replica. Defined as nTDSDSA
# object (s) such that (s!objectGUID = t.uuidDsa)
# In our IDL representation of repsFrom the (uuidDsa)
# attribute is called (source_dsa_obj_guid)
# cn_conn - (cn) is nTDSConnection object and child of the local
# DC's nTDSDSA object and (cn!fromServer = s)
# s_rep - source DSA replica of n
#
# If we have the replica and its not needed
# then we add it to the "to be deleted" list.
for dnstr in current_rep_table:
# If we're on the RODC, hardcode the update flags
if ro:
c_rep = current_rep_table[dnstr]
c_rep.load_repsFrom(self.samdb)
for t_repsFrom in c_rep.rep_repsFrom:
replica_flags = (drsuapi.DRSUAPI_DRS_INIT_SYNC |
drsuapi.DRSUAPI_DRS_PER_SYNC |
drsuapi.DRSUAPI_DRS_ADD_REF |
drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
drsuapi.DRSUAPI_DRS_NONGC_RO_REP)
if t_repsFrom.replica_flags != replica_flags:
t_repsFrom.replica_flags = replica_flags
c_rep.commit_repsFrom(self.samdb, ro=self.readonly)
else:
if dnstr not in needed_rep_table:
delete_reps.add(dnstr)
DEBUG_FN('current %d needed %d delete %d' % (len(current_rep_table),
len(needed_rep_table), len(delete_reps)))
if delete_reps:
# TODO Must delete repsFrom/repsTo for these replicas
DEBUG('deleting these reps: %s' % delete_reps)
for dnstr in delete_reps:
del current_rep_table[dnstr]
# HANDLE REPS-FROM
#
# Now perform the scan of replicas we'll need
# and compare any current repsFrom against the
# connections
for n_rep in needed_rep_table.values():
# load any repsFrom and fsmo roles as we'll
# need them during connection translation
n_rep.load_repsFrom(self.samdb)
n_rep.load_fsmo_roles(self.samdb)
# Loop thru the existing repsFrom tuples (if any)
# XXX This is a list and could contain duplicates
# (multiple load_repsFrom calls)
for t_repsFrom in n_rep.rep_repsFrom:
# for each tuple t in n!repsFrom, let s be the nTDSDSA
# object such that s!objectGUID = t.uuidDsa
guidstr = str(t_repsFrom.source_dsa_obj_guid)
s_dsa = self.get_dsa_by_guidstr(guidstr)
# Source dsa is gone from config (strange)
# so cleanup stale repsFrom for unlisted DSA
if s_dsa is None:
logger.warning("repsFrom source DSA guid (%s) not found" %
guidstr)
t_repsFrom.to_be_deleted = True
continue
# Find the connection that this repsFrom would use. If
# there isn't a good one (i.e. non-RODC_TOPOLOGY,
# meaning non-FRS), we delete the repsFrom.
s_dnstr = s_dsa.dsa_dnstr
connections = current_dsa.get_connection_by_from_dnstr(s_dnstr)
for cn_conn in connections:
if not cn_conn.is_rodc_topology():
break
else:
# no break means no non-rodc_topology connection exists
t_repsFrom.to_be_deleted = True
continue
# KCC removes this repsFrom tuple if any of the following
# is true:
# No NC replica of the NC "is present" on DSA that
# would be source of replica
#
# A writable replica of the NC "should be present" on
# the local DC, but a partial replica "is present" on
# the source DSA
s_rep = s_dsa.get_current_replica(n_rep.nc_dnstr)
if s_rep is None or not s_rep.is_present() or \
(not n_rep.is_ro() and s_rep.is_partial()):
t_repsFrom.to_be_deleted = True
continue
# If the KCC did not remove t from n!repsFrom, it updates t
self.modify_repsFrom(n_rep, t_repsFrom, s_rep, s_dsa, cn_conn)
# Loop thru connections and add implied repsFrom tuples
# for each NTDSConnection under our local DSA if the
# repsFrom is not already present
for cn_conn in current_dsa.connect_table.values():
s_dsa = self.get_dsa_for_implied_replica(n_rep, cn_conn)
if s_dsa is None:
continue
# Loop thru the existing repsFrom tuples (if any) and
# if we already have a tuple for this connection then
# no need to proceed to add. It will have been changed
# to have the correct attributes above
for t_repsFrom in n_rep.rep_repsFrom:
guidstr = str(t_repsFrom.source_dsa_obj_guid)
if s_dsa is self.get_dsa_by_guidstr(guidstr):
s_dsa = None
break
if s_dsa is None:
continue
# Create a new RepsFromTo and proceed to modify
# it according to specification
t_repsFrom = RepsFromTo(n_rep.nc_dnstr)
t_repsFrom.source_dsa_obj_guid = s_dsa.dsa_guid
s_rep = s_dsa.get_current_replica(n_rep.nc_dnstr)
self.modify_repsFrom(n_rep, t_repsFrom, s_rep, s_dsa, cn_conn)
# Add to our NC repsFrom as this is newly computed
if t_repsFrom.is_modified():
n_rep.rep_repsFrom.append(t_repsFrom)
if self.readonly or ro:
# Display any to be deleted or modified repsFrom
text = n_rep.dumpstr_to_be_deleted()
if text:
logger.info("TO BE DELETED:\n%s" % text)
text = n_rep.dumpstr_to_be_modified()
if text:
logger.info("TO BE MODIFIED:\n%s" % text)
# Perform deletion from our tables but perform
# no database modification
n_rep.commit_repsFrom(self.samdb, ro=True)
else:
# Commit any modified repsFrom to the NC replica
n_rep.commit_repsFrom(self.samdb)
# HANDLE REPS-TO:
#
# Now perform the scan of replicas we'll need
# and compare any current repsTo against the
# connections
# RODC should never push to anybody (should we check this?)
if ro:
return
for n_rep in needed_rep_table.values():
# load any repsTo and fsmo roles as we'll
# need them during connection translation
n_rep.load_repsTo(self.samdb)
# Loop thru the existing repsTo tuples (if any)
# XXX This is a list and could contain duplicates
# (multiple load_repsTo calls)
for t_repsTo in n_rep.rep_repsTo:
# for each tuple t in n!repsTo, let s be the nTDSDSA
# object such that s!objectGUID = t.uuidDsa
guidstr = str(t_repsTo.source_dsa_obj_guid)
s_dsa = self.get_dsa_by_guidstr(guidstr)
# Source dsa is gone from config (strange)
# so cleanup stale repsTo for unlisted DSA
if s_dsa is None:
logger.warning("repsTo source DSA guid (%s) not found" %
guidstr)
t_repsTo.to_be_deleted = True
continue
# Find the connection that this repsTo would use. If
# there isn't a good one (i.e. non-RODC_TOPOLOGY,
# meaning non-FRS), we delete the repsTo.
s_dnstr = s_dsa.dsa_dnstr
if '\\0ADEL' in s_dnstr:
logger.warning("repsTo source DSA guid (%s) appears deleted" %
guidstr)
t_repsTo.to_be_deleted = True
continue
connections = s_dsa.get_connection_by_from_dnstr(self.my_dsa_dnstr)
if len(connections) > 0:
# Then this repsTo is tentatively valid
continue
else:
# There is no plausible connection for this repsTo
t_repsTo.to_be_deleted = True
if self.readonly:
# Display any to be deleted or modified repsTo
for rt in n_rep.rep_repsTo:
if rt.to_be_deleted:
logger.info("REMOVING REPS-TO: %s" % rt)
# Perform deletion from our tables but perform
# no database modification
n_rep.commit_repsTo(self.samdb, ro=True)
else:
# Commit any modified repsTo to the NC replica
n_rep.commit_repsTo(self.samdb)
# TODO Remove any duplicate repsTo values. This should never happen in
# any normal situations.
def merge_failed_links(self, ping=None):
"""Merge of kCCFailedLinks and kCCFailedLinks from bridgeheads.
The KCC on a writable DC attempts to merge the link and connection
failure information from bridgehead DCs in its own site to help it
identify failed bridgehead DCs.
Based on MS-ADTS 6.2.2.3.2 "Merge of kCCFailedLinks and kCCFailedLinks
from Bridgeheads"
:param ping: An oracle of current bridgehead availability
:return: None
"""
# 1. Queries every bridgehead server in your site (other than yourself)
# 2. For every ntDSConnection that references a server in a different
# site merge all the failure info
#
# XXX - not implemented yet
if ping is not None:
debug.DEBUG_RED("merge_failed_links() is NOT IMPLEMENTED")
else:
DEBUG_FN("skipping merge_failed_links() because it requires "
"real network connections\n"
"and we weren't asked to --attempt-live-connections")
def setup_graph(self, part):
"""Set up an intersite graph
An intersite graph has a Vertex for each site object, a
MultiEdge for each SiteLink object, and a MutliEdgeSet for
each siteLinkBridge object (or implied siteLinkBridge). It
reflects the intersite topology in a slightly more abstract
graph form.
Roughly corresponds to MS-ADTS 6.2.2.3.4.3
:param part: a Partition object
:returns: an InterSiteGraph object
"""
# If 'Bridge all site links' is enabled and Win2k3 bridges required
# is not set
# NTDSTRANSPORT_OPT_BRIDGES_REQUIRED 0x00000002
# No documentation for this however, ntdsapi.h appears to have:
# NTDSSETTINGS_OPT_W2K3_BRIDGES_REQUIRED = 0x00001000
bridges_required = self.my_site.site_options & 0x00001002 != 0
transport_guid = str(self.ip_transport.guid)
g = setup_graph(part, self.site_table, transport_guid,
self.sitelink_table, bridges_required)
if self.verify or self.dot_file_dir is not None:
dot_edges = []
for edge in g.edges:
for a, b in itertools.combinations(edge.vertices, 2):
dot_edges.append((a.site.site_dnstr, b.site.site_dnstr))
verify_properties = ()
name = 'site_edges_%s' % part.partstr
verify_and_dot(name, dot_edges, directed=False,
label=self.my_dsa_dnstr,
properties=verify_properties, debug=DEBUG,
verify=self.verify,
dot_file_dir=self.dot_file_dir)
return g
def get_bridgehead(self, site, part, transport, partial_ok, detect_failed):
"""Get a bridghead DC for a site.
Part of MS-ADTS 6.2.2.3.4.4
:param site: site object representing for which a bridgehead
DC is desired.
:param part: crossRef for NC to replicate.
:param transport: interSiteTransport object for replication
traffic.
:param partial_ok: True if a DC containing a partial
replica or a full replica will suffice, False if only
a full replica will suffice.
:param detect_failed: True to detect failed DCs and route
replication traffic around them, False to assume no DC
has failed.
:return: dsa object for the bridgehead DC or None
"""
bhs = self.get_all_bridgeheads(site, part, transport,
partial_ok, detect_failed)
if not bhs:
debug.DEBUG_MAGENTA("get_bridgehead FAILED:\nsitedn = %s" %
site.site_dnstr)
return None
debug.DEBUG_GREEN("get_bridgehead:\n\tsitedn = %s\n\tbhdn = %s" %
(site.site_dnstr, bhs[0].dsa_dnstr))
return bhs[0]
def get_all_bridgeheads(self, site, part, transport,
partial_ok, detect_failed):
"""Get all bridghead DCs on a site satisfying the given criteria
Part of MS-ADTS 6.2.2.3.4.4
:param site: site object representing the site for which
bridgehead DCs are desired.
:param part: partition for NC to replicate.
:param transport: interSiteTransport object for
replication traffic.
:param partial_ok: True if a DC containing a partial
replica or a full replica will suffice, False if
only a full replica will suffice.
:param detect_failed: True to detect failed DCs and route
replication traffic around them, FALSE to assume
no DC has failed.
:return: list of dsa object for available bridgehead DCs
"""
bhs = []
if transport.name != "IP":
raise KCCError("get_all_bridgeheads has run into a "
"non-IP transport! %r"
% (transport.name,))
DEBUG_FN(site.rw_dsa_table)
for dsa in site.rw_dsa_table.values():
pdnstr = dsa.get_parent_dnstr()
# IF t!bridgeheadServerListBL has one or more values and
# t!bridgeheadServerListBL does not contain a reference
# to the parent object of dc then skip dc
if ((len(transport.bridgehead_list) != 0 and
pdnstr not in transport.bridgehead_list)):
continue
# IF dc is in the same site as the local DC
# IF a replica of cr!nCName is not in the set of NC replicas
# that "should be present" on dc or a partial replica of the
# NC "should be present" but partialReplicasOkay = FALSE
# Skip dc
if self.my_site.same_site(dsa):
needed, ro, partial = part.should_be_present(dsa)
if not needed or (partial and not partial_ok):
continue
rep = dsa.get_current_replica(part.nc_dnstr)
# ELSE
# IF an NC replica of cr!nCName is not in the set of NC
# replicas that "are present" on dc or a partial replica of
# the NC "is present" but partialReplicasOkay = FALSE
# Skip dc
else:
rep = dsa.get_current_replica(part.nc_dnstr)
if rep is None or (rep.is_partial() and not partial_ok):
continue
# IF AmIRODC() and cr!nCName corresponds to default NC then
# Let dsaobj be the nTDSDSA object of the dc
# IF dsaobj.msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
# Skip dc
if self.my_dsa.is_ro() and rep is not None and rep.is_default():
if not dsa.is_minimum_behavior(dsdb.DS_DOMAIN_FUNCTION_2008):
continue
# IF BridgeheadDCFailed(dc!objectGUID, detectFailedDCs) = TRUE
# Skip dc
if self.is_bridgehead_failed(dsa, detect_failed):
DEBUG("bridgehead is failed")
continue
DEBUG_FN("found a bridgehead: %s" % dsa.dsa_dnstr)
bhs.append(dsa)
# IF bit NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED is set in
# s!options
# SORT bhs such that all GC servers precede DCs that are not GC
# servers, and otherwise by ascending objectGUID
# ELSE
# SORT bhs in a random order
if site.is_random_bridgehead_disabled():
bhs.sort(key=cmp_to_key(sort_dsa_by_gc_and_guid))
else:
random.shuffle(bhs)
debug.DEBUG_YELLOW(bhs)
return bhs
def is_bridgehead_failed(self, dsa, detect_failed):
"""Determine whether a given DC is known to be in a failed state
:param dsa: the bridgehead to test
:param detect_failed: True to really check, False to assume no failure
:return: True if and only if the DC should be considered failed
Here we DEPART from the pseudo code spec which appears to be
wrong. It says, in full:
/***** BridgeheadDCFailed *****/
/* Determine whether a given DC is known to be in a failed state.
* IN: objectGUID - objectGUID of the DC's nTDSDSA object.
* IN: detectFailedDCs - TRUE if and only failed DC detection is
* enabled.
* RETURNS: TRUE if and only if the DC should be considered to be in a
* failed state.
*/
BridgeheadDCFailed(IN GUID objectGUID, IN bool detectFailedDCs) : bool
{
IF bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set in
the options attribute of the site settings object for the local
DC's site
RETURN FALSE
ELSEIF a tuple z exists in the kCCFailedLinks or
kCCFailedConnections variables such that z.UUIDDsa =
objectGUID, z.FailureCount > 1, and the current time -
z.TimeFirstFailure > 2 hours
RETURN TRUE
ELSE
RETURN detectFailedDCs
ENDIF
}
where you will see detectFailedDCs is not behaving as
advertised -- it is acting as a default return code in the
event that a failure is not detected, not a switch turning
detection on or off. Elsewhere the documentation seems to
concur with the comment rather than the code.
"""
if not detect_failed:
return False
# NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED = 0x00000008
# When DETECT_STALE_DISABLED, we can never know of if
# it's in a failed state
if self.my_site.site_options & 0x00000008:
return False
return self.is_stale_link_connection(dsa)
def create_connection(self, part, rbh, rsite, transport,
lbh, lsite, link_opt, link_sched,
partial_ok, detect_failed):
"""Create an nTDSConnection object as specified if it doesn't exist.
Part of MS-ADTS 6.2.2.3.4.5
:param part: crossRef object for the NC to replicate.
:param rbh: nTDSDSA object for DC to act as the
IDL_DRSGetNCChanges server (which is in a site other
than the local DC's site).
:param rsite: site of the rbh
:param transport: interSiteTransport object for the transport
to use for replication traffic.
:param lbh: nTDSDSA object for DC to act as the
IDL_DRSGetNCChanges client (which is in the local DC's site).
:param lsite: site of the lbh
:param link_opt: Replication parameters (aggregated siteLink options,
etc.)
:param link_sched: Schedule specifying the times at which
to begin replicating.
:partial_ok: True if bridgehead DCs containing partial
replicas of the NC are acceptable.
:param detect_failed: True to detect failed DCs and route
replication traffic around them, FALSE to assume no DC
has failed.
"""
rbhs_all = self.get_all_bridgeheads(rsite, part, transport,
partial_ok, False)
rbh_table = dict((x.dsa_dnstr, x) for x in rbhs_all)
debug.DEBUG_GREY("rbhs_all: %s %s" % (len(rbhs_all),
[x.dsa_dnstr for x in rbhs_all]))
# MS-TECH says to compute rbhs_avail but then doesn't use it
# rbhs_avail = self.get_all_bridgeheads(rsite, part, transport,
# partial_ok, detect_failed)
lbhs_all = self.get_all_bridgeheads(lsite, part, transport,
partial_ok, False)
if lbh.is_ro():
lbhs_all.append(lbh)
debug.DEBUG_GREY("lbhs_all: %s %s" % (len(lbhs_all),
[x.dsa_dnstr for x in lbhs_all]))
# MS-TECH says to compute lbhs_avail but then doesn't use it
# lbhs_avail = self.get_all_bridgeheads(lsite, part, transport,
# partial_ok, detect_failed)
# FOR each nTDSConnection object cn such that the parent of cn is
# a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
for ldsa in lbhs_all:
for cn in ldsa.connect_table.values():
rdsa = rbh_table.get(cn.from_dnstr)
if rdsa is None:
continue
debug.DEBUG_DARK_YELLOW("rdsa is %s" % rdsa.dsa_dnstr)
# IF bit NTDSCONN_OPT_IS_GENERATED is set in cn!options and
# NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options and
# cn!transportType references t
if ((cn.is_generated() and
not cn.is_rodc_topology() and
cn.transport_guid == transport.guid)):
# IF bit NTDSCONN_OPT_USER_OWNED_SCHEDULE is clear in
# cn!options and cn!schedule != sch
# Perform an originating update to set cn!schedule to
# sched
if ((not cn.is_user_owned_schedule() and
not cn.is_equivalent_schedule(link_sched))):
cn.schedule = link_sched
cn.set_modified(True)
# IF bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
# NTDSCONN_OPT_USE_NOTIFY are set in cn
if cn.is_override_notify_default() and \
cn.is_use_notify():
# IF bit NTDSSITELINK_OPT_USE_NOTIFY is clear in
# ri.Options
# Perform an originating update to clear bits
# NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
# NTDSCONN_OPT_USE_NOTIFY in cn!options
if (link_opt & dsdb.NTDSSITELINK_OPT_USE_NOTIFY) == 0:
cn.options &= \
~(dsdb.NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT |
dsdb.NTDSCONN_OPT_USE_NOTIFY)
cn.set_modified(True)
# ELSE
else:
# IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in
# ri.Options
# Perform an originating update to set bits
# NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
# NTDSCONN_OPT_USE_NOTIFY in cn!options
if (link_opt & dsdb.NTDSSITELINK_OPT_USE_NOTIFY) != 0:
cn.options |= \
(dsdb.NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT |
dsdb.NTDSCONN_OPT_USE_NOTIFY)
cn.set_modified(True)
# IF bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options
if cn.is_twoway_sync():
# IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is clear in
# ri.Options
# Perform an originating update to clear bit
# NTDSCONN_OPT_TWOWAY_SYNC in cn!options
if (link_opt & dsdb.NTDSSITELINK_OPT_TWOWAY_SYNC) == 0:
cn.options &= ~dsdb.NTDSCONN_OPT_TWOWAY_SYNC
cn.set_modified(True)
# ELSE
else:
# IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in
# ri.Options
# Perform an originating update to set bit
# NTDSCONN_OPT_TWOWAY_SYNC in cn!options
if (link_opt & dsdb.NTDSSITELINK_OPT_TWOWAY_SYNC) != 0:
cn.options |= dsdb.NTDSCONN_OPT_TWOWAY_SYNC
cn.set_modified(True)
# IF bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION is set
# in cn!options
if cn.is_intersite_compression_disabled():
# IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is clear
# in ri.Options
# Perform an originating update to clear bit
# NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
# cn!options
if ((link_opt &
dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) == 0):
cn.options &= \
~dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
cn.set_modified(True)
# ELSE
else:
# IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
# ri.Options
# Perform an originating update to set bit
# NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
# cn!options
if ((link_opt &
dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
cn.options |= \
dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
cn.set_modified(True)
# Display any modified connection
if self.readonly or ldsa.is_ro():
if cn.to_be_modified:
logger.info("TO BE MODIFIED:\n%s" % cn)
ldsa.commit_connections(self.samdb, ro=True)
else:
ldsa.commit_connections(self.samdb)
# ENDFOR
valid_connections = 0
# FOR each nTDSConnection object cn such that cn!parent is
# a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
for ldsa in lbhs_all:
for cn in ldsa.connect_table.values():
rdsa = rbh_table.get(cn.from_dnstr)
if rdsa is None:
continue
debug.DEBUG_DARK_YELLOW("round 2: rdsa is %s" % rdsa.dsa_dnstr)
# IF (bit NTDSCONN_OPT_IS_GENERATED is clear in cn!options or
# cn!transportType references t) and
# NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options
if (((not cn.is_generated() or
cn.transport_guid == transport.guid) and
not cn.is_rodc_topology())):
# LET rguid be the objectGUID of the nTDSDSA object
# referenced by cn!fromServer
# LET lguid be (cn!parent)!objectGUID
# IF BridgeheadDCFailed(rguid, detectFailedDCs) = FALSE and
# BridgeheadDCFailed(lguid, detectFailedDCs) = FALSE
# Increment cValidConnections by 1
if ((not self.is_bridgehead_failed(rdsa, detect_failed) and
not self.is_bridgehead_failed(ldsa, detect_failed))):
valid_connections += 1
# IF keepConnections does not contain cn!objectGUID
# APPEND cn!objectGUID to keepConnections
self.kept_connections.add(cn)
# ENDFOR
debug.DEBUG_RED("valid connections %d" % valid_connections)
DEBUG("kept_connections:\n%s" % (self.kept_connections,))
# IF cValidConnections = 0
if valid_connections == 0:
# LET opt be NTDSCONN_OPT_IS_GENERATED
opt = dsdb.NTDSCONN_OPT_IS_GENERATED
# IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in ri.Options
# SET bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
# NTDSCONN_OPT_USE_NOTIFY in opt
if (link_opt & dsdb.NTDSSITELINK_OPT_USE_NOTIFY) != 0:
opt |= (dsdb.NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT |
dsdb.NTDSCONN_OPT_USE_NOTIFY)
# IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in ri.Options
# SET bit NTDSCONN_OPT_TWOWAY_SYNC opt
if (link_opt & dsdb.NTDSSITELINK_OPT_TWOWAY_SYNC) != 0:
opt |= dsdb.NTDSCONN_OPT_TWOWAY_SYNC
# IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
# ri.Options
# SET bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in opt
if ((link_opt &
dsdb.NTDSSITELINK_OPT_DISABLE_COMPRESSION) != 0):
opt |= dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
# Perform an originating update to create a new nTDSConnection
# object cn that is a child of lbh, cn!enabledConnection = TRUE,
# cn!options = opt, cn!transportType is a reference to t,
# cn!fromServer is a reference to rbh, and cn!schedule = sch
DEBUG_FN("new connection, KCC dsa: %s" % self.my_dsa.dsa_dnstr)
system_flags = (dsdb.SYSTEM_FLAG_CONFIG_ALLOW_RENAME |
dsdb.SYSTEM_FLAG_CONFIG_ALLOW_MOVE)
cn = lbh.new_connection(opt, system_flags, transport,
rbh.dsa_dnstr, link_sched)
# Display any added connection
if self.readonly or lbh.is_ro():
if cn.to_be_added:
logger.info("TO BE ADDED:\n%s" % cn)
lbh.commit_connections(self.samdb, ro=True)
else:
lbh.commit_connections(self.samdb)
# APPEND cn!objectGUID to keepConnections
self.kept_connections.add(cn)
def add_transports(self, vertex, local_vertex, graph, detect_failed):
"""Build a Vertex's transport lists
Each vertex has accept_red_red and accept_black lists that
list what transports they accept under various conditions. The
only transport that is ever accepted is IP, and a dummy extra
transport called "EDGE_TYPE_ALL".
Part of MS-ADTS 6.2.2.3.4.3 -- ColorVertices
:param vertex: the remote vertex we are thinking about
:param local_vertex: the vertex relating to the local site.
:param graph: the intersite graph
:param detect_failed: whether to detect failed links
:return: True if some bridgeheads were not found
"""
# The docs ([MS-ADTS] 6.2.2.3.4.3) say to use local_vertex
# here, but using vertex seems to make more sense. That is,
# the docs want this:
#
# bh = self.get_bridgehead(local_vertex.site, vertex.part, transport,
# local_vertex.is_black(), detect_failed)
#
# TODO WHY?????
vertex.accept_red_red = []
vertex.accept_black = []
found_failed = False
if vertex in graph.connected_vertices:
t_guid = str(self.ip_transport.guid)
bh = self.get_bridgehead(vertex.site, vertex.part,
self.ip_transport,
vertex.is_black(), detect_failed)
if bh is None:
if vertex.site.is_rodc_site():
vertex.accept_red_red.append(t_guid)
else:
found_failed = True
else:
vertex.accept_red_red.append(t_guid)
vertex.accept_black.append(t_guid)
# Add additional transport to ensure another run of Dijkstra
vertex.accept_red_red.append("EDGE_TYPE_ALL")
vertex.accept_black.append("EDGE_TYPE_ALL")
return found_failed
def create_connections(self, graph, part, detect_failed):
"""Create intersite NTDSConnections as needed by a partition
Construct an NC replica graph for the NC identified by
the given crossRef, then create any additional nTDSConnection
objects required.
:param graph: site graph.
:param part: crossRef object for NC.
:param detect_failed: True to detect failed DCs and route
replication traffic around them, False to assume no DC
has failed.
Modifies self.kept_connections by adding any connections
deemed to be "in use".
:return: (all_connected, found_failed_dc)
(all_connected) True if the resulting NC replica graph
connects all sites that need to be connected.
(found_failed_dc) True if one or more failed DCs were
detected.
"""
all_connected = True
found_failed = False
DEBUG_FN("create_connections(): enter\n"
"\tpartdn=%s\n\tdetect_failed=%s" %
(part.nc_dnstr, detect_failed))
# XXX - This is a highly abbreviated function from the MS-TECH
# ref. It creates connections between bridgeheads to all
# sites that have appropriate replicas. Thus we are not
# creating a minimum cost spanning tree but instead
# producing a fully connected tree. This should produce
# a full (albeit not optimal cost) replication topology.
my_vertex = Vertex(self.my_site, part)
my_vertex.color_vertex()
for v in graph.vertices:
v.color_vertex()
if self.add_transports(v, my_vertex, graph, detect_failed):
found_failed = True
# No NC replicas for this NC in the site of the local DC,
# so no nTDSConnection objects need be created
if my_vertex.is_white():
return all_connected, found_failed
edge_list, n_components = get_spanning_tree_edges(graph,
self.my_site,
label=part.partstr)
DEBUG_FN("%s Number of components: %d" %
(part.nc_dnstr, n_components))
if n_components > 1:
all_connected = False
# LET partialReplicaOkay be TRUE if and only if
# localSiteVertex.Color = COLOR.BLACK
partial_ok = my_vertex.is_black()
# Utilize the IP transport only for now
transport = self.ip_transport
DEBUG("edge_list %s" % edge_list)
for e in edge_list:
# XXX more accurate comparison?
if e.directed and e.vertices[0].site is self.my_site:
continue
if e.vertices[0].site is self.my_site:
rsite = e.vertices[1].site
else:
rsite = e.vertices[0].site
# We don't make connections to our own site as that
# is intrasite topology generator's job
if rsite is self.my_site:
DEBUG("rsite is my_site")
continue
# Determine bridgehead server in remote site
rbh = self.get_bridgehead(rsite, part, transport,
partial_ok, detect_failed)
if rbh is None:
continue
# RODC acts as an BH for itself
# IF AmIRODC() then
# LET lbh be the nTDSDSA object of the local DC
# ELSE
# LET lbh be the result of GetBridgeheadDC(localSiteVertex.ID,
# cr, t, partialReplicaOkay, detectFailedDCs)
if self.my_dsa.is_ro():
lsite = self.my_site
lbh = self.my_dsa
else:
lsite = self.my_site
lbh = self.get_bridgehead(lsite, part, transport,
partial_ok, detect_failed)
# TODO
if lbh is None:
debug.DEBUG_RED("DISASTER! lbh is None")
return False, True
DEBUG_FN("lsite: %s\nrsite: %s" % (lsite, rsite))
DEBUG_FN("vertices %s" % (e.vertices,))
debug.DEBUG_BLUE("bridgeheads\n%s\n%s\n%s" % (lbh, rbh, "-" * 70))
sitelink = e.site_link
if sitelink is None:
link_opt = 0x0
link_sched = None
else:
link_opt = sitelink.options
link_sched = sitelink.schedule
self.create_connection(part, rbh, rsite, transport,
lbh, lsite, link_opt, link_sched,
partial_ok, detect_failed)
return all_connected, found_failed
def create_intersite_connections(self):
"""Create NTDSConnections as necessary for all partitions.
Computes an NC replica graph for each NC replica that "should be
present" on the local DC or "is present" on any DC in the same site
as the local DC. For each edge directed to an NC replica on such a
DC from an NC replica on a DC in another site, the KCC creates an
nTDSConnection object to imply that edge if one does not already
exist.
Modifies self.kept_connections - A set of nTDSConnection
objects for edges that are directed
to the local DC's site in one or more NC replica graphs.
:return: True if spanning trees were created for all NC replica
graphs, otherwise False.
"""
all_connected = True
self.kept_connections = set()
# LET crossRefList be the set containing each object o of class
# crossRef such that o is a child of the CN=Partitions child of the
# config NC
# FOR each crossRef object cr in crossRefList
# IF cr!enabled has a value and is false, or if FLAG_CR_NTDS_NC
# is clear in cr!systemFlags, skip cr.
# LET g be the GRAPH return of SetupGraph()
for part in self.part_table.values():
if not part.is_enabled():
continue
if part.is_foreign():
continue
graph = self.setup_graph(part)
# Create nTDSConnection objects, routing replication traffic
# around "failed" DCs.
found_failed = False
connected, found_failed = self.create_connections(graph,
part, True)
DEBUG("with detect_failed: connected %s Found failed %s" %
(connected, found_failed))
if not connected:
all_connected = False
if found_failed:
# One or more failed DCs preclude use of the ideal NC
# replica graph. Add connections for the ideal graph.
self.create_connections(graph, part, False)
return all_connected
def intersite(self, ping):
"""Generate the inter-site KCC replica graph and nTDSConnections
As per MS-ADTS 6.2.2.3.
If self.readonly is False, the connections are added to self.samdb.
Produces self.kept_connections which is a set of NTDS
Connections that should be kept during subsequent pruning
process.
After this has run, all sites should be connected in a minimum
spanning tree.
:param ping: An oracle function of remote site availability
:return (True or False): (True) if the produced NC replica
graph connects all sites that need to be connected
"""
# Retrieve my DSA
mydsa = self.my_dsa
mysite = self.my_site
all_connected = True
DEBUG_FN("intersite(): enter")
# Determine who is the ISTG
if self.readonly:
mysite.select_istg(self.samdb, mydsa, ro=True)
else:
mysite.select_istg(self.samdb, mydsa, ro=False)
# Test whether local site has topology disabled
if mysite.is_intersite_topology_disabled():
DEBUG_FN("intersite(): exit disabled all_connected=%d" %
all_connected)
return all_connected
if not mydsa.is_istg():
DEBUG_FN("intersite(): exit not istg all_connected=%d" %
all_connected)
return all_connected
self.merge_failed_links(ping)
# For each NC with an NC replica that "should be present" on the
# local DC or "is present" on any DC in the same site as the
# local DC, the KCC constructs a site graph--a precursor to an NC
# replica graph. The site connectivity for a site graph is defined
# by objects of class interSiteTransport, siteLink, and
# siteLinkBridge in the config NC.
all_connected = self.create_intersite_connections()
DEBUG_FN("intersite(): exit all_connected=%d" % all_connected)
return all_connected
# This function currently does no actions. The reason being that we cannot
# perform modifies in this way on the RODC.
def update_rodc_connection(self, ro=True):
"""Updates the RODC NTFRS connection object.
If the local DSA is not an RODC, this does nothing.
"""
if not self.my_dsa.is_ro():
return
# Given an nTDSConnection object cn1, such that cn1.options contains
# NTDSCONN_OPT_RODC_TOPOLOGY, and another nTDSConnection object cn2,
# does not contain NTDSCONN_OPT_RODC_TOPOLOGY, modify cn1 to ensure
# that the following is true:
#
# cn1.fromServer = cn2.fromServer
# cn1.schedule = cn2.schedule
#
# If no such cn2 can be found, cn1 is not modified.
# If no such cn1 can be found, nothing is modified by this task.
all_connections = self.my_dsa.connect_table.values()
ro_connections = [x for x in all_connections if x.is_rodc_topology()]
rw_connections = [x for x in all_connections
if x not in ro_connections]
# XXX here we are dealing with multiple RODC_TOPO connections,
# if they exist. It is not clear whether the spec means that
# or if it ever arises.
if rw_connections and ro_connections:
for con in ro_connections:
cn2 = rw_connections[0]
con.from_dnstr = cn2.from_dnstr
con.schedule = cn2.schedule
con.to_be_modified = True
self.my_dsa.commit_connections(self.samdb, ro=ro)
def intrasite_max_node_edges(self, node_count):
"""Find the maximum number of edges directed to an intrasite node
The KCC does not create more than 50 edges directed to a
single DC. To optimize replication, we compute that each node
should have n+2 total edges directed to it such that (n) is
the smallest non-negative integer satisfying
(node_count <= 2*(n*n) + 6*n + 7)
(If the number of edges is m (i.e. n + 2), that is the same as
2 * m*m - 2 * m + 3). We think in terms of n because that is
the number of extra connections over the double directed ring
that exists by default.
edges n nodecount
2 0 7
3 1 15
4 2 27
5 3 43
...
50 48 4903
:param node_count: total number of nodes in the replica graph
The intention is that there should be no more than 3 hops
between any two DSAs at a site. With up to 7 nodes the 2 edges
of the ring are enough; any configuration of extra edges with
8 nodes will be enough. It is less clear that the 3 hop
guarantee holds at e.g. 15 nodes in degenerate cases, but
those are quite unlikely given the extra edges are randomly
arranged.
:param node_count: the number of nodes in the site
"return: The desired maximum number of connections
"""
n = 0
while True:
if node_count <= (2 * (n * n) + (6 * n) + 7):
break
n = n + 1
n = n + 2
if n < 50:
return n
return 50
def construct_intrasite_graph(self, site_local, dc_local,
nc_x, gc_only, detect_stale):
"""Create an intrasite graph using given parameters
This might be called a number of times per site with different
parameters.
Based on [MS-ADTS] 6.2.2.2
:param site_local: site for which we are working
:param dc_local: local DC that potentially needs a replica
:param nc_x: naming context (x) that we are testing if it
"should be present" on the local DC
:param gc_only: Boolean - only consider global catalog servers
:param detect_stale: Boolean - check whether links seems down
:return: None
"""
# We're using the MS notation names here to allow
# correlation back to the published algorithm.
#
# nc_x - naming context (x) that we are testing if it
# "should be present" on the local DC
# f_of_x - replica (f) found on a DC (s) for NC (x)
# dc_s - DC where f_of_x replica was found
# dc_local - local DC that potentially needs a replica
# (f_of_x)
# r_list - replica list R
# p_of_x - replica (p) is partial and found on a DC (s)
# for NC (x)
# l_of_x - replica (l) is the local replica for NC (x)
# that should appear on the local DC
# r_len = is length of replica list |R|
#
# If the DSA doesn't need a replica for this
# partition (NC x) then continue
needed, ro, partial = nc_x.should_be_present(dc_local)
debug.DEBUG_YELLOW("construct_intrasite_graph(): enter" +
"\n\tgc_only=%d" % gc_only +
"\n\tdetect_stale=%d" % detect_stale +
"\n\tneeded=%s" % needed +
"\n\tro=%s" % ro +
"\n\tpartial=%s" % partial +
"\n%s" % nc_x)
if not needed:
debug.DEBUG_RED("%s lacks 'should be present' status, "
"aborting construct_intrasite_graph!" %
nc_x.nc_dnstr)
return
# Create a NCReplica that matches what the local replica
# should say. We'll use this below in our r_list
l_of_x = NCReplica(dc_local, nc_x.nc_dnstr)
l_of_x.identify_by_basedn(self.samdb)
l_of_x.rep_partial = partial
l_of_x.rep_ro = ro
# Add this replica that "should be present" to the
# needed replica table for this DSA
dc_local.add_needed_replica(l_of_x)
# Replica list
#
# Let R be a sequence containing each writable replica f of x
# such that f "is present" on a DC s satisfying the following
# criteria:
#
# * s is a writable DC other than the local DC.
#
# * s is in the same site as the local DC.
#
# * If x is a read-only full replica and x is a domain NC,
# then the DC's functional level is at least
# DS_BEHAVIOR_WIN2008.
#
# * Bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set
# in the options attribute of the site settings object for
# the local DC's site, or no tuple z exists in the
# kCCFailedLinks or kCCFailedConnections variables such
# that z.UUIDDsa is the objectGUID of the nTDSDSA object
# for s, z.FailureCount > 0, and the current time -
# z.TimeFirstFailure > 2 hours.
r_list = []
# We'll loop thru all the DSAs looking for
# writeable NC replicas that match the naming
# context dn for (nc_x)
#
for dc_s in self.my_site.dsa_table.values():
# If this partition (nc_x) doesn't appear as a
# replica (f_of_x) on (dc_s) then continue
if nc_x.nc_dnstr not in dc_s.current_rep_table:
continue
# Pull out the NCReplica (f) of (x) with the dn
# that matches NC (x) we are examining.
f_of_x = dc_s.current_rep_table[nc_x.nc_dnstr]
# Replica (f) of NC (x) must be writable
if f_of_x.is_ro():
continue
# Replica (f) of NC (x) must satisfy the
# "is present" criteria for DC (s) that
# it was found on
if not f_of_x.is_present():
continue
# DC (s) must be a writable DSA other than
# my local DC. In other words we'd only replicate
# from other writable DC
if dc_s.is_ro() or dc_s is dc_local:
continue
# Certain replica graphs are produced only
# for global catalogs, so test against
# method input parameter
if gc_only and not dc_s.is_gc():
continue
# DC (s) must be in the same site as the local DC
# as this is the intra-site algorithm. This is
# handled by virtue of placing DSAs in per
# site objects (see enclosing for() loop)
# If NC (x) is intended to be read-only full replica
# for a domain NC on the target DC then the source
# DC should have functional level at minimum WIN2008
#
# Effectively we're saying that in order to replicate
# to a targeted RODC (which was introduced in Windows 2008)
# then we have to replicate from a DC that is also minimally
# at that level.
#
# You can also see this requirement in the MS special
# considerations for RODC which state that to deploy
# an RODC, at least one writable domain controller in
# the domain must be running Windows Server 2008
if ro and not partial and nc_x.nc_type == NCType.domain:
if not dc_s.is_minimum_behavior(dsdb.DS_DOMAIN_FUNCTION_2008):
continue
# If we haven't been told to turn off stale connection
# detection and this dsa has a stale connection then
# continue
if detect_stale and self.is_stale_link_connection(dc_s):
continue
# Replica meets criteria. Add it to table indexed
# by the GUID of the DC that it appears on
r_list.append(f_of_x)
# If a partial (not full) replica of NC (x) "should be present"
# on the local DC, append to R each partial replica (p of x)
# such that p "is present" on a DC satisfying the same
# criteria defined above for full replica DCs.
#
# XXX This loop and the previous one differ only in whether
# the replica is partial or not. here we only accept partial
# (because we're partial); before we only accepted full. Order
# doesn't matter (the list is sorted a few lines down) so these
# loops could easily be merged. Or this could be a helper
# function.
if partial:
# Now we loop thru all the DSAs looking for
# partial NC replicas that match the naming
# context dn for (NC x)
for dc_s in self.my_site.dsa_table.values():
# If this partition NC (x) doesn't appear as a
# replica (p) of NC (x) on the dsa DC (s) then
# continue
if nc_x.nc_dnstr not in dc_s.current_rep_table:
continue
# Pull out the NCReplica with the dn that
# matches NC (x) we are examining.
p_of_x = dc_s.current_rep_table[nc_x.nc_dnstr]
# Replica (p) of NC (x) must be partial
if not p_of_x.is_partial():
continue
# Replica (p) of NC (x) must satisfy the
# "is present" criteria for DC (s) that
# it was found on
if not p_of_x.is_present():
continue
# DC (s) must be a writable DSA other than
# my DSA. In other words we'd only replicate
# from other writable DSA
if dc_s.is_ro() or dc_s is dc_local:
continue
# Certain replica graphs are produced only
# for global catalogs, so test against
# method input parameter
if gc_only and not dc_s.is_gc():
continue
# If we haven't been told to turn off stale connection
# detection and this dsa has a stale connection then
# continue
if detect_stale and self.is_stale_link_connection(dc_s):
continue
# Replica meets criteria. Add it to table indexed
# by the GUID of the DSA that it appears on
r_list.append(p_of_x)
# Append to R the NC replica that "should be present"
# on the local DC
r_list.append(l_of_x)
r_list.sort(key=lambda rep: ndr_pack(rep.rep_dsa_guid))
r_len = len(r_list)
max_node_edges = self.intrasite_max_node_edges(r_len)
# Add a node for each r_list element to the replica graph
graph_list = []
for rep in r_list:
node = GraphNode(rep.rep_dsa_dnstr, max_node_edges)
graph_list.append(node)
# For each r(i) from (0 <= i < |R|-1)
i = 0
while i < (r_len - 1):
# Add an edge from r(i) to r(i+1) if r(i) is a full
# replica or r(i+1) is a partial replica
if not r_list[i].is_partial() or r_list[i +1].is_partial():
graph_list[i + 1].add_edge_from(r_list[i].rep_dsa_dnstr)
# Add an edge from r(i+1) to r(i) if r(i+1) is a full
# replica or ri is a partial replica.
if not r_list[i + 1].is_partial() or r_list[i].is_partial():
graph_list[i].add_edge_from(r_list[i + 1].rep_dsa_dnstr)
i = i + 1
# Add an edge from r|R|-1 to r0 if r|R|-1 is a full replica
# or r0 is a partial replica.
if not r_list[r_len - 1].is_partial() or r_list[0].is_partial():
graph_list[0].add_edge_from(r_list[r_len - 1].rep_dsa_dnstr)
# Add an edge from r0 to r|R|-1 if r0 is a full replica or
# r|R|-1 is a partial replica.
if not r_list[0].is_partial() or r_list[r_len -1].is_partial():
graph_list[r_len - 1].add_edge_from(r_list[0].rep_dsa_dnstr)
DEBUG("r_list is length %s" % len(r_list))
DEBUG('\n'.join(str((x.rep_dsa_guid, x.rep_dsa_dnstr))
for x in r_list))
do_dot_files = self.dot_file_dir is not None and self.debug
if self.verify or do_dot_files:
dot_edges = []
dot_vertices = set()
for v1 in graph_list:
dot_vertices.add(v1.dsa_dnstr)
for v2 in v1.edge_from:
dot_edges.append((v2, v1.dsa_dnstr))
dot_vertices.add(v2)
verify_properties = ('connected',)
verify_and_dot('intrasite_pre_ntdscon', dot_edges, dot_vertices,
label='%s__%s__%s' % (site_local.site_dnstr,
nctype_lut[nc_x.nc_type],
nc_x.nc_dnstr),
properties=verify_properties, debug=DEBUG,
verify=self.verify,
dot_file_dir=self.dot_file_dir,
directed=True)
rw_dot_vertices = set(x for x in dot_vertices
if not self.get_dsa(x).is_ro())
rw_dot_edges = [(a, b) for a, b in dot_edges if
a in rw_dot_vertices and b in rw_dot_vertices]
rw_verify_properties = ('connected',
'directed_double_ring_or_small')
verify_and_dot('intrasite_rw_pre_ntdscon', rw_dot_edges,
rw_dot_vertices,
label='%s__%s__%s' % (site_local.site_dnstr,
nctype_lut[nc_x.nc_type],
nc_x.nc_dnstr),
properties=rw_verify_properties, debug=DEBUG,
verify=self.verify,
dot_file_dir=self.dot_file_dir,
directed=True)
# For each existing nTDSConnection object implying an edge
# from rj of R to ri such that j != i, an edge from rj to ri
# is not already in the graph, and the total edges directed
# to ri is less than n+2, the KCC adds that edge to the graph.
for vertex in graph_list:
dsa = self.my_site.dsa_table[vertex.dsa_dnstr]
for connect in dsa.connect_table.values():
remote = connect.from_dnstr
if remote in self.my_site.dsa_table:
vertex.add_edge_from(remote)
DEBUG('reps are: %s' % ' '.join(x.rep_dsa_dnstr for x in r_list))
DEBUG('dsas are: %s' % ' '.join(x.dsa_dnstr for x in graph_list))
for tnode in graph_list:
# To optimize replication latency in sites with many NC
# replicas, the KCC adds new edges directed to ri to bring
# the total edges to n+2, where the NC replica rk of R
# from which the edge is directed is chosen at random such
# that k != i and an edge from rk to ri is not already in
# the graph.
#
# Note that the KCC tech ref does not give a number for
# the definition of "sites with many NC replicas". At a
# bare minimum to satisfy n+2 edges directed at a node we
# have to have at least three replicas in |R| (i.e. if n
# is zero then at least replicas from two other graph
# nodes may direct edges to us).
if r_len >= 3 and not tnode.has_sufficient_edges():
candidates = [x for x in graph_list if
(x is not tnode and
x.dsa_dnstr not in tnode.edge_from)]
debug.DEBUG_BLUE("looking for random link for %s. r_len %d, "
"graph len %d candidates %d"
% (tnode.dsa_dnstr, r_len, len(graph_list),
len(candidates)))
DEBUG("candidates %s" % [x.dsa_dnstr for x in candidates])
while candidates and not tnode.has_sufficient_edges():
other = random.choice(candidates)
DEBUG("trying to add candidate %s" % other.dsa_dnstr)
if not tnode.add_edge_from(other.dsa_dnstr):
debug.DEBUG_RED("could not add %s" % other.dsa_dnstr)
candidates.remove(other)
else:
DEBUG_FN("not adding links to %s: nodes %s, links is %s/%s" %
(tnode.dsa_dnstr, r_len, len(tnode.edge_from),
tnode.max_edges))
# Print the graph node in debug mode
DEBUG_FN("%s" % tnode)
# For each edge directed to the local DC, ensure a nTDSConnection
# points to us that satisfies the KCC criteria
if tnode.dsa_dnstr == dc_local.dsa_dnstr:
tnode.add_connections_from_edges(dc_local, self.ip_transport)
if self.verify or do_dot_files:
dot_edges = []
dot_vertices = set()
for v1 in graph_list:
dot_vertices.add(v1.dsa_dnstr)
for v2 in v1.edge_from:
dot_edges.append((v2, v1.dsa_dnstr))
dot_vertices.add(v2)
verify_properties = ('connected',)
verify_and_dot('intrasite_post_ntdscon', dot_edges, dot_vertices,
label='%s__%s__%s' % (site_local.site_dnstr,
nctype_lut[nc_x.nc_type],
nc_x.nc_dnstr),
properties=verify_properties, debug=DEBUG,
verify=self.verify,
dot_file_dir=self.dot_file_dir,
directed=True)
rw_dot_vertices = set(x for x in dot_vertices
if not self.get_dsa(x).is_ro())
rw_dot_edges = [(a, b) for a, b in dot_edges if
a in rw_dot_vertices and b in rw_dot_vertices]
rw_verify_properties = ('connected',
'directed_double_ring_or_small')
verify_and_dot('intrasite_rw_post_ntdscon', rw_dot_edges,
rw_dot_vertices,
label='%s__%s__%s' % (site_local.site_dnstr,
nctype_lut[nc_x.nc_type],
nc_x.nc_dnstr),
properties=rw_verify_properties, debug=DEBUG,
verify=self.verify,
dot_file_dir=self.dot_file_dir,
directed=True)
def intrasite(self):
"""Generate the intrasite KCC connections
As per MS-ADTS 6.2.2.2.
If self.readonly is False, the connections are added to self.samdb.
After this call, all DCs in each site with more than 3 DCs
should be connected in a bidirectional ring. If a site has 2
DCs, they will bidirectionally connected. Sites with many DCs
may have arbitrary extra connections.
:return: None
"""
mydsa = self.my_dsa
DEBUG_FN("intrasite(): enter")
# Test whether local site has topology disabled
mysite = self.my_site
if mysite.is_intrasite_topology_disabled():
return
detect_stale = (not mysite.is_detect_stale_disabled())
for connect in mydsa.connect_table.values():
if connect.to_be_added:
debug.DEBUG_CYAN("TO BE ADDED:\n%s" % connect)
# Loop thru all the partitions, with gc_only False
for partdn, part in self.part_table.items():
self.construct_intrasite_graph(mysite, mydsa, part, False,
detect_stale)
for connect in mydsa.connect_table.values():
if connect.to_be_added:
debug.DEBUG_BLUE("TO BE ADDED:\n%s" % connect)
# If the DC is a GC server, the KCC constructs an additional NC
# replica graph (and creates nTDSConnection objects) for the
# config NC as above, except that only NC replicas that "are present"
# on GC servers are added to R.
for connect in mydsa.connect_table.values():
if connect.to_be_added:
debug.DEBUG_YELLOW("TO BE ADDED:\n%s" % connect)
# Do it again, with gc_only True
for partdn, part in self.part_table.items():
if part.is_config():
self.construct_intrasite_graph(mysite, mydsa, part, True,
detect_stale)
# The DC repeats the NC replica graph computation and nTDSConnection
# creation for each of the NC replica graphs, this time assuming
# that no DC has failed. It does so by re-executing the steps as
# if the bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED were
# set in the options attribute of the site settings object for
# the local DC's site. (ie. we set "detec_stale" flag to False)
for connect in mydsa.connect_table.values():
if connect.to_be_added:
debug.DEBUG_BLUE("TO BE ADDED:\n%s" % connect)
# Loop thru all the partitions.
for partdn, part in self.part_table.items():
self.construct_intrasite_graph(mysite, mydsa, part, False,
False) # don't detect stale
# If the DC is a GC server, the KCC constructs an additional NC
# replica graph (and creates nTDSConnection objects) for the
# config NC as above, except that only NC replicas that "are present"
# on GC servers are added to R.
for connect in mydsa.connect_table.values():
if connect.to_be_added:
debug.DEBUG_RED("TO BE ADDED:\n%s" % connect)
for partdn, part in self.part_table.items():
if part.is_config():
self.construct_intrasite_graph(mysite, mydsa, part, True,
False) # don't detect stale
self._commit_changes(mydsa)
def list_dsas(self):
"""Compile a comprehensive list of DSA DNs
These are all the DSAs on all the sites that KCC would be
dealing with.
This method is not idempotent and may not work correctly in
sequence with KCC.run().
:return: a list of DSA DN strings.
"""
self.load_my_site()
self.load_my_dsa()
self.load_all_sites()
self.load_all_partitions()
self.load_ip_transport()
self.load_all_sitelinks()
dsas = []
for site in self.site_table.values():
dsas.extend([dsa.dsa_dnstr.replace('CN=NTDS Settings,', '', 1)
for dsa in site.dsa_table.values()])
return dsas
def load_samdb(self, dburl, lp, creds, force=False):
"""Load the database using an url, loadparm, and credentials
If force is False, the samdb won't be reloaded if it already
exists.
:param dburl: a database url.
:param lp: a loadparm object.
:param creds: a Credentials object.
:param force: a boolean indicating whether to overwrite.
"""
if force or self.samdb is None:
try:
self.samdb = SamDB(url=dburl,
session_info=system_session(),
credentials=creds, lp=lp)
except ldb.LdbError as e1:
(num, msg) = e1.args
raise KCCError("Unable to open sam database %s : %s" %
(dburl, msg))
def plot_all_connections(self, basename, verify_properties=()):
"""Helper function to plot and verify NTDSConnections
:param basename: an identifying string to use in filenames and logs.
:param verify_properties: properties to verify (default empty)
"""
verify = verify_properties and self.verify
if not verify and self.dot_file_dir is None:
return
dot_edges = []
dot_vertices = []
edge_colours = []
vertex_colours = []
for dsa in self.dsa_by_dnstr.values():
dot_vertices.append(dsa.dsa_dnstr)
if dsa.is_ro():
vertex_colours.append('#cc0000')
else:
vertex_colours.append('#0000cc')
for con in dsa.connect_table.values():
if con.is_rodc_topology():
edge_colours.append('red')
else:
edge_colours.append('blue')
dot_edges.append((con.from_dnstr, dsa.dsa_dnstr))
verify_and_dot(basename, dot_edges, vertices=dot_vertices,
label=self.my_dsa_dnstr,
properties=verify_properties, debug=DEBUG,
verify=verify, dot_file_dir=self.dot_file_dir,
directed=True, edge_colors=edge_colours,
vertex_colors=vertex_colours)
def run(self, dburl, lp, creds, forced_local_dsa=None,
forget_local_links=False, forget_intersite_links=False,
attempt_live_connections=False):
"""Perform a KCC run, possibly updating repsFrom topology
:param dburl: url of the database to work with.
:param lp: a loadparm object.
:param creds: a Credentials object.
:param forced_local_dsa: pretend to be on the DSA with this dn_str
:param forget_local_links: calculate as if no connections existed
(boolean, default False)
:param forget_intersite_links: calculate with only intrasite connection
(boolean, default False)
:param attempt_live_connections: attempt to connect to remote DSAs to
determine link availability (boolean, default False)
:return: 1 on error, 0 otherwise
"""
if self.samdb is None:
DEBUG_FN("samdb is None; let's load it from %s" % (dburl,))
self.load_samdb(dburl, lp, creds, force=False)
if forced_local_dsa:
self.samdb.set_ntds_settings_dn("CN=NTDS Settings,%s" %
forced_local_dsa)
try:
# Setup
self.load_my_site()
self.load_my_dsa()
self.load_all_sites()
self.load_all_partitions()
self.load_ip_transport()
self.load_all_sitelinks()
if self.verify or self.dot_file_dir is not None:
guid_to_dnstr = {}
for site in self.site_table.values():
guid_to_dnstr.update((str(dsa.dsa_guid), dnstr)
for dnstr, dsa
in site.dsa_table.items())
self.plot_all_connections('dsa_initial')
dot_edges = []
current_reps, needed_reps = self.my_dsa.get_rep_tables()
for dnstr, c_rep in current_reps.items():
DEBUG("c_rep %s" % c_rep)
dot_edges.append((self.my_dsa.dsa_dnstr, dnstr))
verify_and_dot('dsa_repsFrom_initial', dot_edges,
directed=True, label=self.my_dsa_dnstr,
properties=(), debug=DEBUG, verify=self.verify,
dot_file_dir=self.dot_file_dir)
dot_edges = []
for site in self.site_table.values():
for dsa in site.dsa_table.values():
current_reps, needed_reps = dsa.get_rep_tables()
for dn_str, rep in current_reps.items():
for reps_from in rep.rep_repsFrom:
DEBUG("rep %s" % rep)
dsa_guid = str(reps_from.source_dsa_obj_guid)
dsa_dn = guid_to_dnstr[dsa_guid]
dot_edges.append((dsa.dsa_dnstr, dsa_dn))
verify_and_dot('dsa_repsFrom_initial_all', dot_edges,
directed=True, label=self.my_dsa_dnstr,
properties=(), debug=DEBUG, verify=self.verify,
dot_file_dir=self.dot_file_dir)
dot_edges = []
dot_colours = []
for link in self.sitelink_table.values():
from hashlib import md5
tmp_str = link.dnstr.encode('utf8')
colour = '#' + md5(tmp_str).hexdigest()[:6]
for a, b in itertools.combinations(link.site_list, 2):
dot_edges.append((a[1], b[1]))
dot_colours.append(colour)
properties = ('connected',)
verify_and_dot('dsa_sitelink_initial', dot_edges,
directed=False,
label=self.my_dsa_dnstr, properties=properties,
debug=DEBUG, verify=self.verify,
dot_file_dir=self.dot_file_dir,
edge_colors=dot_colours)
if forget_local_links:
for dsa in self.my_site.dsa_table.values():
dsa.connect_table = dict((k, v) for k, v in
dsa.connect_table.items()
if v.is_rodc_topology() or
(v.from_dnstr not in
self.my_site.dsa_table))
self.plot_all_connections('dsa_forgotten_local')
if forget_intersite_links:
for site in self.site_table.values():
for dsa in site.dsa_table.values():
dsa.connect_table = dict((k, v) for k, v in
dsa.connect_table.items()
if site is self.my_site and
v.is_rodc_topology())
self.plot_all_connections('dsa_forgotten_all')
if attempt_live_connections:
# Encapsulates lp and creds in a function that
# attempts connections to remote DSAs.
def ping(self, dnsname):
try:
drs_utils.drsuapi_connect(dnsname, self.lp, self.creds)
except drs_utils.drsException:
return False
return True
else:
ping = None
# These are the published steps (in order) for the
# MS-TECH description of the KCC algorithm ([MS-ADTS] 6.2.2)
# Step 1
self.refresh_failed_links_connections(ping)
# Step 2
self.intrasite()
# Step 3
all_connected = self.intersite(ping)
# Step 4
self.remove_unneeded_ntdsconn(all_connected)
# Step 5
self.translate_ntdsconn()
# Step 6
self.remove_unneeded_failed_links_connections()
# Step 7
self.update_rodc_connection()
if self.verify or self.dot_file_dir is not None:
self.plot_all_connections('dsa_final',
('connected',))
debug.DEBUG_MAGENTA("there are %d dsa guids" %
len(guid_to_dnstr))
dot_edges = []
edge_colors = []
my_dnstr = self.my_dsa.dsa_dnstr
current_reps, needed_reps = self.my_dsa.get_rep_tables()
for dnstr, n_rep in needed_reps.items():
for reps_from in n_rep.rep_repsFrom:
guid_str = str(reps_from.source_dsa_obj_guid)
dot_edges.append((my_dnstr, guid_to_dnstr[guid_str]))
edge_colors.append('#' + str(n_rep.nc_guid)[:6])
verify_and_dot('dsa_repsFrom_final', dot_edges, directed=True,
label=self.my_dsa_dnstr,
properties=(), debug=DEBUG, verify=self.verify,
dot_file_dir=self.dot_file_dir,
edge_colors=edge_colors)
dot_edges = []
for site in self.site_table.values():
for dsa in site.dsa_table.values():
current_reps, needed_reps = dsa.get_rep_tables()
for n_rep in needed_reps.values():
for reps_from in n_rep.rep_repsFrom:
dsa_guid = str(reps_from.source_dsa_obj_guid)
dsa_dn = guid_to_dnstr[dsa_guid]
dot_edges.append((dsa.dsa_dnstr, dsa_dn))
verify_and_dot('dsa_repsFrom_final_all', dot_edges,
directed=True, label=self.my_dsa_dnstr,
properties=(), debug=DEBUG, verify=self.verify,
dot_file_dir=self.dot_file_dir)
except:
raise
return 0
def import_ldif(self, dburl, lp, ldif_file, forced_local_dsa=None):
"""Import relevant objects and attributes from an LDIF file.
The point of this function is to allow a programmer/debugger to
import an LDIF file with non-security relevant information that
was previously extracted from a DC database. The LDIF file is used
to create a temporary abbreviated database. The KCC algorithm can
then run against this abbreviated database for debug or test
verification that the topology generated is computationally the
same between different OSes and algorithms.
:param dburl: path to the temporary abbreviated db to create
:param lp: a loadparm object.
:param ldif_file: path to the ldif file to import
:param forced_local_dsa: perform KCC from this DSA's point of view
:return: zero on success, 1 on error
"""
try:
self.samdb = ldif_import_export.ldif_to_samdb(dburl, lp, ldif_file,
forced_local_dsa)
except ldif_import_export.LdifError as e:
logger.critical(e)
return 1
return 0
def export_ldif(self, dburl, lp, creds, ldif_file):
"""Save KCC relevant details to an ldif file
The point of this function is to allow a programmer/debugger to
extract an LDIF file with non-security relevant information from
a DC database. The LDIF file can then be used to "import" via
the import_ldif() function this file into a temporary abbreviated
database. The KCC algorithm can then run against this abbreviated
database for debug or test verification that the topology generated
is computationally the same between different OSes and algorithms.
:param dburl: LDAP database URL to extract info from
:param lp: a loadparm object.
:param cred: a Credentials object.
:param ldif_file: output LDIF file name to create
:return: zero on success, 1 on error
"""
try:
ldif_import_export.samdb_to_ldif_file(self.samdb, dburl, lp, creds,
ldif_file)
except ldif_import_export.LdifError as e:
logger.critical(e)
return 1
return 0