| blob | e96ff836437a840e1bb85160c03813073d3cbc3e |
1 # define the KCC object
2 #
3 # Copyright (C) Dave Craft 2011
4 # Copyright (C) Andrew Bartlett 2015
5 #
6 # Andrew Bartlett's alleged work performed by his underlings Douglas
7 # Bagnall and Garming Sam.
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 import random
23 import uuid
25 import itertools
50 """Helper to sort NCReplicas by their DSA guids
52 The guids need to be sorted in their NDR form.
54 :param rep1: An NC replica
55 :param rep2: Another replica
56 :return: -1, 0, or 1, indicating sort order.
57 """
62 """Helper to sort DSAs by guid global catalog status
64 GC DSAs come before non-GC DSAs, other than that, the guids are
65 sorted in NDR form.
67 :param dsa1: A DSA object
68 :param dsa2: Another DSA
69 :return: -1, 0, or 1, indicating sort order.
70 """
79 """Can the KCC use SMTP replication?
81 Currently always returns false because Samba doesn't implement
82 SMTP transfer for NC changes between DCs.
84 :return: Boolean (always False)
85 """
86 return False
90 """The Knowledge Consistency Checker class.
92 A container for objects and methods allowing a run of the KCC. Produces a
93 set of connections in the samdb for which the Distributed Replication
94 Service can then utilize to replicate naming contexts
96 :param unix_now: The putative current time in seconds since 1970.
97 :param read_only: Don't write to the database.
98 :param verify: Check topological invariants for the generated graphs
99 :param debug: Write verbosely to stderr.
100 "param dot_file_dir: write diagnostic Graphviz files in this directory
101 """
104 """Initializes the partitions class which can hold
105 our local DCs partitions or all the partitions in
106 the forest
107 """
118 # TODO: These should be backed by a 'permanent' store so that when
119 # calling DRSGetReplInfo with DS_REPL_INFO_KCC_DSA_CONNECT_FAILURES,
120 # the failure information can be returned
124 # Used in inter-site topology computation. A list
125 # of connections (by NTDSConnection object) that are
126 # to be kept when pruning un-needed NTDS Connections
145 """Loads the inter-site transport objects for Sites
147 :return: None
148 :raise KCCError: if no IP transport is found
149 """
157 estr)
179 """Loads the inter-site siteLink objects
181 :return: None
182 :raise KCCError: if site-links aren't found
183 """
195 # already loaded
197 continue
203 # Assign this siteLink to table
204 # and index by dn
208 """Helper for load_my_site and load_all_sites.
210 Put all the site's DSAs into the KCC indices.
212 :param dn_str: a site dn_str
213 :return: the Site object pertaining to the dn_str
214 """
218 # We avoid replacing the site with an identical copy in case
219 # somewhere else has a reference to the old one, which would
220 # lead to all manner of confusion and chaos.
231 """Load the Site object for the local DSA.
233 :return: None
234 """
242 """Discover all sites and create Site objects.
244 :return: None
245 :raise: KCCError if sites can't be found
246 """
260 """Discover my nTDSDSA dn thru the rootDSE entry
262 :return: None
263 :raise: KCCError if DSA can't be found
264 """
272 "This typically happens in --importldif mode due "
275 # We work around the failure above by looking at the
276 # dsServiceName that was put in the fake rootdse by
277 # the --exportldif, rather than the
278 # samdb.get_ntds_GUID(). The disadvantage is that this
279 # mode requires we modify the @ROOTDSE dnq to support
280 # --forced-local-dsa
308 "Let's add it, because my_dsa is special!"
316 """Discover and load all partitions.
318 Each NC is inserted into the part_table by partition
319 dn string (not the nCName dn string)
321 :return: None
322 :raise: KCCError if partitions can't be found
323 """
335 # already loaded
337 continue
345 """Ensure the failed links list is up to date
347 Based on MS-ADTS 6.2.2.1
349 :param ping: An oracle function of remote site availability
350 :return: None
351 """
352 # LINKS: Refresh failed links
356 # For every possible connection to replicate
360 continue
371 dns_name)
376 time_first_failure)
379 # CONNECTIONS: Refresh failed connections
385 # Failed connection is no longer failing
393 # Remove the restored connections from the failed connections
397 """Check whether a link to a remote DSA is stale
399 Used in MS-ADTS 6.2.2.2 Intrasite Connection Creation
401 Returns True if the remote seems to have been down for at
402 least two hours, otherwise False.
404 :param target_dsa: the remote DSA object
405 :return: True if link is stale, otherwise False
406 """
409 # failure_count should be > 0, but check anyways
411 unix_first_failure = \
413 # TODO guard against future
418 # Perform calculation in seconds
420 return True
422 # TODO connections.
423 # We have checked failed *links*, but we also need to check
424 # *connections*
426 return False
428 # TODO: This should be backed by some form of local database
430 # Remove all tuples in kcc_failed_links where failure count = 0
431 # In this implementation, this should never happen.
433 # Remove all connections which were not used this run or connections
434 # that became active during this run.
435 pass
438 """Load or fake-load NTDSConnections lacking GUIDs
440 New connections don't have GUIDs and created times which are
441 needed for sorting. If we're in read-only mode, we make fake
442 GUIDs, otherwise we ask SamDB to do it for us.
444 :param connections: an iterable of NTDSConnection objects.
445 :return: None
446 """
456 """Find NTDS Connections that lack a remote
458 I'm not sure how they appear. Let's be rid of them by marking
459 them with the to_be_deleted attribute.
461 :return: None
462 """
467 cn_conn))
471 """Find unneeded intrasite NTDS Connections for removal
473 Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections.
474 Every DC removes its own unnecessary intrasite connections.
475 This function tags them with the to_be_deleted attribute.
477 :return: None
478 """
479 # XXX should an RODC be regarded as same site? It isn't part
480 # of the intrasite ring.
485 return
492 # RODC never actually added any connections to begin with
494 return
496 local_connections = []
518 """find unneeded intersite NTDS Connections for removal
520 Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections. The
521 intersite topology generator removes links for all DCs in its
522 site. Here we just tag them with the to_be_deleted attribute.
524 :return: None
525 """
526 # TODO Figure out how best to handle the RODC case
527 # The RODC is ITSG, but shouldn't act on anyone's behalf.
529 return
531 # Find the intersite connections
533 connections_and_dsas = []
537 continue
540 continue
543 # Samba ONLY: ISTG removes connections to dead DCs
547 continue
553 continue
555 # If the connection is in the kept_connections list, we
556 # only remove it if an endpoint seems down.
560 continue
562 # this one is broken and might be superseded by another.
563 # But which other? Let's just say another link to the same
564 # site can supersede.
583 # Peform deletion from our tables but perform
584 # no database modification
587 # Commit any modified connections
591 """Remove unneeded NTDS Connections once topology is calculated
593 Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections
595 :param all_connected: indicates whether all sites are connected
596 :return: None
597 """
600 # if we are not the istg, we're done!
601 # if we are the istg, but all_connected is False, we also do nothing.
609 """Update an repsFrom object if required.
611 Part of MS-ADTS 6.2.2.5.
613 Update t_repsFrom if necessary to satisfy requirements. Such
614 updates are typically required when the IDL_DRSGetNCChanges
615 server has moved from one site to another--for example, to
616 enable compression when the server is moved from the
617 client's site to another site.
619 The repsFrom.update_flags bit field may be modified
620 auto-magically if any changes are made here. See
621 kcc_utils.RepsFromTo for gory details.
624 :param n_rep: NC replica we need
625 :param t_repsFrom: repsFrom tuple to modify
626 :param s_rep: NC replica at source DSA
627 :param s_dsa: source DSA
628 :param cn_conn: Local DSA NTDSConnection child
630 :return: None
631 """
635 # if schedule doesn't match then update and modify
640 # Bit DRS_ADD_REF is set in replicaFlags unconditionally
641 # Samba ONLY:
646 # Bit DRS_PER_SYNC is set in replicaFlags if and only
647 # if nTDSConnection schedule has a value v that specifies
648 # scheduled replication is to be performed at least once
649 # per week.
656 # Bit DRS_INIT_SYNC is set in t.replicaFlags if and only
657 # if the source DSA and the local DC's nTDSDSA object are
658 # in the same site or source dsa is the FSMO role owner
659 # of one or more FSMO roles in the NC replica.
666 # If bit NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT is set in
667 # cn!options, bit DRS_NEVER_NOTIFY is set in t.replicaFlags
668 # if and only if bit NTDSCONN_OPT_USE_NOTIFY is clear in
669 # cn!options. Otherwise, bit DRS_NEVER_NOTIFY is set in
670 # t.replicaFlags if and only if s and the local DC's
671 # nTDSDSA object are in different sites.
676 # WARNING
677 #
678 # it LOOKS as if this next test is a bit silly: it
679 # checks the flag then sets it if it not set; the same
680 # effect could be achieved by unconditionally setting
681 # it. But in fact the repsFrom object has special
682 # magic attached to it, and altering replica_flags has
683 # side-effects. That is bad in my opinion, but there
684 # you go.
688 drsuapi.DRSUAPI_DRS_NEVER_NOTIFY
696 # Bit DRS_USE_COMPRESSION is set in t.replicaFlags if
697 # and only if s and the local DC's nTDSDSA object are
698 # not in the same site and the
699 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION bit is
700 # clear in cn!options
709 # Bit DRS_TWOWAY_SYNC is set in t.replicaFlags if and only
710 # if bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options.
717 # Bits DRS_DISABLE_AUTO_SYNC and DRS_DISABLE_PERIODIC_SYNC are
718 # set in t.replicaFlags if and only if cn!enabledConnection = false.
724 drsuapi.DRSUAPI_DRS_DISABLE_AUTO_SYNC
729 drsuapi.DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
731 # If s and the local DC's nTDSDSA object are in the same site,
732 # cn!transportType has no value, or the RDN of cn!transportType
733 # is CN=IP:
734 #
735 # Bit DRS_MAIL_REP in t.replicaFlags is clear.
736 #
737 # t.uuidTransport = NULL GUID.
738 #
739 # t.uuidDsa = The GUID-based DNS name of s.
740 #
741 # Otherwise:
742 #
743 # Bit DRS_MAIL_REP in t.replicaFlags is set.
744 #
745 # If x is the object with dsname cn!transportType,
746 # t.uuidTransport = x!objectGUID.
747 #
748 # Let a be the attribute identified by
749 # x!transportAddressAttribute. If a is
750 # the dNSHostName attribute, t.uuidDsa = the GUID-based
751 # DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
752 #
753 # It appears that the first statement i.e.
754 #
755 # "If s and the local DC's nTDSDSA object are in the same
756 # site, cn!transportType has no value, or the RDN of
757 # cn!transportType is CN=IP:"
758 #
759 # could be a slightly tighter statement if it had an "or"
760 # between each condition. I believe this should
761 # be interpreted as:
762 #
763 # IF (same-site) OR (no-value) OR (type-ip)
764 #
765 # because IP should be the primary transport mechanism
766 # (even in inter-site) and the absense of the transportType
767 # attribute should always imply IP no matter if its multi-site
768 #
769 # NOTE MS-TECH INCORRECT:
770 #
771 # All indications point to these statements above being
772 # incorrectly stated:
773 #
774 # t.uuidDsa = The GUID-based DNS name of s.
775 #
776 # Let a be the attribute identified by
777 # x!transportAddressAttribute. If a is
778 # the dNSHostName attribute, t.uuidDsa = the GUID-based
779 # DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
780 #
781 # because the uuidDSA is a GUID and not a GUID-base DNS
782 # name. Nor can uuidDsa hold (s!parent)!a if not
783 # dNSHostName. What should have been said is:
784 #
785 # t.naDsa = The GUID-based DNS name of s
786 #
787 # That would also be correct if transportAddressAttribute
788 # were "mailAddress" because (naDsa) can also correctly
789 # hold the SMTP ISM service address.
790 #
799 # See (NOTE MS-TECH INCORRECT) above
801 # NOTE: it looks like these conditionals are pointless,
802 # because the state will end up as `t_repsFrom.dns_name1 ==
803 # nastr` in either case, BUT the repsFrom thing is magic and
804 # assigning to it alters some flags. So we try not to update
805 # it unless necessary.
816 """If a connection imply a replica, find the relevant DSA
818 Given a NC replica and NTDS Connection, determine if the
819 connection implies a repsFrom tuple should be present from the
820 source DSA listed in the connection to the naming context. If
821 it should be, return the DSA; otherwise return None.
823 Based on part of MS-ADTS 6.2.2.5
825 :param n_rep: NC replica
826 :param cn_conn: NTDS Connection
827 :return: source DSA or None
828 """
829 # XXX different conditions for "implies" than MS-ADTS 6.2.2
830 # preamble.
832 # It boils down to: we want an enabled, non-FRS connections to
833 # a valid remote DSA with a non-RO replica corresponding to
834 # n_rep.
837 return None
842 # No DSA matching this source DN string?
844 return None
851 return s_dsa
852 return None
855 """Adjust repsFrom to match NTDSConnections
857 This function adjusts values of repsFrom abstract attributes of NC
858 replicas on the local DC to match those implied by
859 nTDSConnection objects.
861 Based on [MS-ADTS] 6.2.2.5
863 :param current_dsa: optional DSA on whose behalf we are acting.
864 :return: None
865 """
878 return
884 # Filled in with replicas we currently have that need deleting
887 # We're using the MS notation names here to allow
888 # correlation back to the published algorithm.
889 #
890 # n_rep - NC replica (n)
891 # t_repsFrom - tuple (t) in n!repsFrom
892 # s_dsa - Source DSA of the replica. Defined as nTDSDSA
893 # object (s) such that (s!objectGUID = t.uuidDsa)
894 # In our IDL representation of repsFrom the (uuidDsa)
895 # attribute is called (source_dsa_obj_guid)
896 # cn_conn - (cn) is nTDSConnection object and child of the local
897 # DC's nTDSDSA object and (cn!fromServer = s)
898 # s_rep - source DSA replica of n
899 #
900 # If we have the replica and its not needed
901 # then we add it to the "to be deleted" list.
903 # If we're on the RODC, hardcode the update flags
909 drsuapi.DRSUAPI_DRS_PER_SYNC |
910 drsuapi.DRSUAPI_DRS_ADD_REF |
911 drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
912 drsuapi.DRSUAPI_DRS_GET_ALL_GROUP_MEMBERSHIP |
929 # Now perform the scan of replicas we'll need
930 # and compare any current repsFrom against the
931 # connections
934 # load any repsFrom and fsmo roles as we'll
935 # need them during connection translation
939 # Loop thru the existing repsFrom tupples (if any)
940 # XXX This is a list and could contain duplicates
941 # (multiple load_repsFrom calls)
944 # for each tuple t in n!repsFrom, let s be the nTDSDSA
945 # object such that s!objectGUID = t.uuidDsa
949 # Source dsa is gone from config (strange)
950 # so cleanup stale repsFrom for unlisted DSA
953 guidstr)
955 continue
957 # Find the connection that this repsFrom would use. If
958 # there isn't a good one (i.e. non-RODC_TOPOLOGY,
959 # meaning non-FRS), we delete the repsFrom.
964 break
966 # no break means no non-rodc_topology connection exists
968 continue
970 # KCC removes this repsFrom tuple if any of the following
971 # is true:
972 # No NC replica of the NC "is present" on DSA that
973 # would be source of replica
974 #
975 # A writable replica of the NC "should be present" on
976 # the local DC, but a partial replica "is present" on
977 # the source DSA
984 continue
986 # If the KCC did not remove t from n!repsFrom, it updates t
989 # Loop thru connections and add implied repsFrom tuples
990 # for each NTDSConnection under our local DSA if the
991 # repsFrom is not already present
996 continue
998 # Loop thru the existing repsFrom tupples (if any) and
999 # if we already have a tuple for this connection then
1000 # no need to proceed to add. It will have been changed
1001 # to have the correct attributes above
1006 break
1009 continue
1011 # Create a new RepsFromTo and proceed to modify
1012 # it according to specification
1021 # Add to our NC repsFrom as this is newly computed
1026 # Display any to be deleted or modified repsFrom
1034 # Peform deletion from our tables but perform
1035 # no database modification
1038 # Commit any modified repsFrom to the NC replica
1042 """Merge of kCCFailedLinks and kCCFailedLinks from bridgeheads.
1044 The KCC on a writable DC attempts to merge the link and connection
1045 failure information from bridgehead DCs in its own site to help it
1046 identify failed bridgehead DCs.
1048 Based on MS-ADTS 6.2.2.3.2 "Merge of kCCFailedLinks and kCCFailedLinks
1049 from Bridgeheads"
1051 :param ping: An oracle of current bridgehead availability
1052 :return: None
1053 """
1054 # 1. Queries every bridgehead server in your site (other than yourself)
1055 # 2. For every ntDSConnection that references a server in a different
1056 # site merge all the failure info
1057 #
1058 # XXX - not implemented yet
1067 """Set up an intersite graph
1069 An intersite graph has a Vertex for each site object, a
1070 MultiEdge for each SiteLink object, and a MutliEdgeSet for
1071 each siteLinkBridge object (or implied siteLinkBridge). It
1072 reflects the intersite topology in a slightly more abstract
1073 graph form.
1075 Roughly corresponds to MS-ADTS 6.2.2.3.4.3
1077 :param part: a Partition object
1078 :returns: an InterSiteGraph object
1079 """
1080 # If 'Bridge all site links' is enabled and Win2k3 bridges required
1081 # is not set
1082 # NTDSTRANSPORT_OPT_BRIDGES_REQUIRED 0x00000002
1083 # No documentation for this however, ntdsapi.h appears to have:
1084 # NTDSSETTINGS_OPT_W2K3_BRIDGES_REQUIRED = 0x00001000
1092 dot_edges = []
1096 verify_properties = ()
1104 return g
1107 """Get a bridghead DC for a site.
1109 Part of MS-ADTS 6.2.2.3.4.4
1111 :param site: site object representing for which a bridgehead
1112 DC is desired.
1113 :param part: crossRef for NC to replicate.
1114 :param transport: interSiteTransport object for replication
1115 traffic.
1116 :param partial_ok: True if a DC containing a partial
1117 replica or a full replica will suffice, False if only
1118 a full replica will suffice.
1119 :param detect_failed: True to detect failed DCs and route
1120 replication traffic around them, False to assume no DC
1121 has failed.
1122 :return: dsa object for the bridgehead DC or None
1123 """
1130 return None
1138 """Get all bridghead DCs on a site satisfying the given criteria
1140 Part of MS-ADTS 6.2.2.3.4.4
1142 :param site: site object representing the site for which
1143 bridgehead DCs are desired.
1144 :param part: partition for NC to replicate.
1145 :param transport: interSiteTransport object for
1146 replication traffic.
1147 :param partial_ok: True if a DC containing a partial
1148 replica or a full replica will suffice, False if
1149 only a full replica will suffice.
1150 :param detect_failed: True to detect failed DCs and route
1151 replication traffic around them, FALSE to assume
1152 no DC has failed.
1153 :return: list of dsa object for available bridgehead DCs
1154 """
1155 bhs = []
1167 # IF t!bridgeheadServerListBL has one or more values and
1168 # t!bridgeheadServerListBL does not contain a reference
1169 # to the parent object of dc then skip dc
1172 continue
1174 # IF dc is in the same site as the local DC
1175 # IF a replica of cr!nCName is not in the set of NC replicas
1176 # that "should be present" on dc or a partial replica of the
1177 # NC "should be present" but partialReplicasOkay = FALSE
1178 # Skip dc
1182 continue
1185 # ELSE
1186 # IF an NC replica of cr!nCName is not in the set of NC
1187 # replicas that "are present" on dc or a partial replica of
1188 # the NC "is present" but partialReplicasOkay = FALSE
1189 # Skip dc
1193 continue
1195 # IF AmIRODC() and cr!nCName corresponds to default NC then
1196 # Let dsaobj be the nTDSDSA object of the dc
1197 # IF dsaobj.msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
1198 # Skip dc
1201 continue
1203 # IF BridgeheadDCFailed(dc!objectGUID, detectFailedDCs) = TRUE
1204 # Skip dc
1207 continue
1212 # IF bit NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED is set in
1213 # s!options
1214 # SORT bhs such that all GC servers precede DCs that are not GC
1215 # servers, and otherwise by ascending objectGUID
1216 # ELSE
1217 # SORT bhs in a random order
1223 return bhs
1226 """Determine whether a given DC is known to be in a failed state
1228 :param dsa: the bridgehead to test
1229 :param detect_failed: True to really check, False to assume no failure
1230 :return: True if and only if the DC should be considered failed
1232 Here we DEPART from the pseudo code spec which appears to be
1233 wrong. It says, in full:
1235 /***** BridgeheadDCFailed *****/
1236 /* Determine whether a given DC is known to be in a failed state.
1237 * IN: objectGUID - objectGUID of the DC's nTDSDSA object.
1238 * IN: detectFailedDCs - TRUE if and only failed DC detection is
1239 * enabled.
1240 * RETURNS: TRUE if and only if the DC should be considered to be in a
1241 * failed state.
1242 */
1243 BridgeheadDCFailed(IN GUID objectGUID, IN bool detectFailedDCs) : bool
1244 {
1245 IF bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set in
1246 the options attribute of the site settings object for the local
1247 DC's site
1248 RETURN FALSE
1249 ELSEIF a tuple z exists in the kCCFailedLinks or
1250 kCCFailedConnections variables such that z.UUIDDsa =
1251 objectGUID, z.FailureCount > 1, and the current time -
1252 z.TimeFirstFailure > 2 hours
1253 RETURN TRUE
1254 ELSE
1255 RETURN detectFailedDCs
1256 ENDIF
1257 }
1259 where you will see detectFailedDCs is not behaving as
1260 advertised -- it is acting as a default return code in the
1261 event that a failure is not detected, not a switch turning
1262 detection on or off. Elsewhere the documentation seems to
1263 concur with the comment rather than the code.
1264 """
1266 return False
1268 # NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED = 0x00000008
1269 # When DETECT_STALE_DISABLED, we can never know of if
1270 # it's in a failed state
1272 return False
1279 """Create an nTDSConnection object as specified if it doesn't exist.
1281 Part of MS-ADTS 6.2.2.3.4.5
1283 :param part: crossRef object for the NC to replicate.
1284 :param rbh: nTDSDSA object for DC to act as the
1285 IDL_DRSGetNCChanges server (which is in a site other
1286 than the local DC's site).
1287 :param rsite: site of the rbh
1288 :param transport: interSiteTransport object for the transport
1289 to use for replication traffic.
1290 :param lbh: nTDSDSA object for DC to act as the
1291 IDL_DRSGetNCChanges client (which is in the local DC's site).
1292 :param lsite: site of the lbh
1293 :param link_opt: Replication parameters (aggregated siteLink options,
1294 etc.)
1295 :param link_sched: Schedule specifying the times at which
1296 to begin replicating.
1297 :partial_ok: True if bridgehead DCs containing partial
1298 replicas of the NC are acceptable.
1299 :param detect_failed: True to detect failed DCs and route
1300 replication traffic around them, FALSE to assume no DC
1301 has failed.
1302 """
1310 # MS-TECH says to compute rbhs_avail but then doesn't use it
1311 # rbhs_avail = self.get_all_bridgeheads(rsite, part, transport,
1312 # partial_ok, detect_failed)
1322 # MS-TECH says to compute lbhs_avail but then doesn't use it
1323 # lbhs_avail = self.get_all_bridgeheads(lsite, part, transport,
1324 # partial_ok, detect_failed)
1326 # FOR each nTDSConnection object cn such that the parent of cn is
1327 # a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
1333 continue
1336 # IF bit NTDSCONN_OPT_IS_GENERATED is set in cn!options and
1337 # NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options and
1338 # cn!transportType references t
1343 # IF bit NTDSCONN_OPT_USER_OWNED_SCHEDULE is clear in
1344 # cn!options and cn!schedule != sch
1345 # Perform an originating update to set cn!schedule to
1346 # sched
1352 # IF bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1353 # NTDSCONN_OPT_USE_NOTIFY are set in cn
1357 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is clear in
1358 # ri.Options
1359 # Perform an originating update to clear bits
1360 # NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1361 # NTDSCONN_OPT_USE_NOTIFY in cn!options
1368 # ELSE
1371 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in
1372 # ri.Options
1373 # Perform an originating update to set bits
1374 # NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1375 # NTDSCONN_OPT_USE_NOTIFY in cn!options
1382 # IF bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options
1385 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is clear in
1386 # ri.Options
1387 # Perform an originating update to clear bit
1388 # NTDSCONN_OPT_TWOWAY_SYNC in cn!options
1393 # ELSE
1396 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in
1397 # ri.Options
1398 # Perform an originating update to set bit
1399 # NTDSCONN_OPT_TWOWAY_SYNC in cn!options
1404 # IF bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION is set
1405 # in cn!options
1408 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is clear
1409 # in ri.Options
1410 # Perform an originating update to clear bit
1411 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
1412 # cn!options
1416 ~dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
1419 # ELSE
1421 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
1422 # ri.Options
1423 # Perform an originating update to set bit
1424 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
1425 # cn!options
1429 dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
1432 # Display any modified connection
1440 # ENDFOR
1444 # FOR each nTDSConnection object cn such that cn!parent is
1445 # a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
1451 continue
1455 # IF (bit NTDSCONN_OPT_IS_GENERATED is clear in cn!options or
1456 # cn!transportType references t) and
1457 # NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options
1462 # LET rguid be the objectGUID of the nTDSDSA object
1463 # referenced by cn!fromServer
1464 # LET lguid be (cn!parent)!objectGUID
1466 # IF BridgeheadDCFailed(rguid, detectFailedDCs) = FALSE and
1467 # BridgeheadDCFailed(lguid, detectFailedDCs) = FALSE
1468 # Increment cValidConnections by 1
1473 # IF keepConnections does not contain cn!objectGUID
1474 # APPEND cn!objectGUID to keepConnections
1477 # ENDFOR
1480 # IF cValidConnections = 0
1483 # LET opt be NTDSCONN_OPT_IS_GENERATED
1486 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in ri.Options
1487 # SET bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1488 # NTDSCONN_OPT_USE_NOTIFY in opt
1493 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in ri.Options
1494 # SET bit NTDSCONN_OPT_TWOWAY_SYNC opt
1498 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
1499 # ri.Options
1500 # SET bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in opt
1505 # Perform an originating update to create a new nTDSConnection
1506 # object cn that is a child of lbh, cn!enabledConnection = TRUE,
1507 # cn!options = opt, cn!transportType is a reference to t,
1508 # cn!fromServer is a reference to rbh, and cn!schedule = sch
1516 # Display any added connection
1525 # APPEND cn!objectGUID to keepConnections
1529 """Build a Vertex's transport lists
1531 Each vertex has accept_red_red and accept_black lists that
1532 list what transports they accept under various conditions. The
1533 only transport that is ever accepted is IP, and a dummy extra
1534 transport called "EDGE_TYPE_ALL".
1536 Part of MS-ADTS 6.2.2.3.4.3 -- ColorVertices
1538 :param vertex: the remote vertex we are thinking about
1539 :param local_vertex: the vertex relating to the local site.
1540 :param graph: the intersite graph
1541 :param detect_failed: whether to detect failed links
1542 :return: True if some bridgeheads were not found
1543 """
1544 # The docs ([MS-ADTS] 6.2.2.3.4.3) say to use local_vertex
1545 # here, but using vertex seems to make more sense. That is,
1546 # the docs want this:
1547 #
1548 #bh = self.get_bridgehead(local_vertex.site, vertex.part, transport,
1549 # local_vertex.is_black(), detect_failed)
1550 #
1551 # TODO WHY?????
1572 # Add additional transport to ensure another run of Dijkstra
1576 return found_failed
1579 """Create intersite NTDSConnections as needed by a partition
1581 Construct an NC replica graph for the NC identified by
1582 the given crossRef, then create any additional nTDSConnection
1583 objects required.
1585 :param graph: site graph.
1586 :param part: crossRef object for NC.
1587 :param detect_failed: True to detect failed DCs and route
1588 replication traffic around them, False to assume no DC
1589 has failed.
1591 Modifies self.kept_connections by adding any connections
1592 deemed to be "in use".
1594 :return: (all_connected, found_failed_dc)
1595 (all_connected) True if the resulting NC replica graph
1596 connects all sites that need to be connected.
1597 (found_failed_dc) True if one or more failed DCs were
1598 detected.
1599 """
1607 # XXX - This is a highly abbreviated function from the MS-TECH
1608 # ref. It creates connections between bridgeheads to all
1609 # sites that have appropriate replicas. Thus we are not
1610 # creating a minimum cost spanning tree but instead
1611 # producing a fully connected tree. This should produce
1612 # a full (albeit not optimal cost) replication topology.
1622 # No NC replicas for this NC in the site of the local DC,
1623 # so no nTDSConnection objects need be created
1636 # LET partialReplicaOkay be TRUE if and only if
1637 # localSiteVertex.Color = COLOR.BLACK
1640 # Utilize the IP transport only for now
1645 # XXX more accurate comparison?
1647 continue
1654 # We don't make connections to our own site as that
1655 # is intrasite topology generator's job
1658 continue
1660 # Determine bridgehead server in remote site
1664 continue
1666 # RODC acts as an BH for itself
1667 # IF AmIRODC() then
1668 # LET lbh be the nTDSDSA object of the local DC
1669 # ELSE
1670 # LET lbh be the result of GetBridgeheadDC(localSiteVertex.ID,
1671 # cr, t, partialReplicaOkay, detectFailedDCs)
1679 # TODO
1703 """Create NTDSConnections as necessary for all partitions.
1705 Computes an NC replica graph for each NC replica that "should be
1706 present" on the local DC or "is present" on any DC in the same site
1707 as the local DC. For each edge directed to an NC replica on such a
1708 DC from an NC replica on a DC in another site, the KCC creates an
1709 nTDSConnection object to imply that edge if one does not already
1710 exist.
1712 Modifies self.kept_connections - A set of nTDSConnection
1713 objects for edges that are directed
1714 to the local DC's site in one or more NC replica graphs.
1716 :return: True if spanning trees were created for all NC replica
1717 graphs, otherwise False.
1718 """
1722 # LET crossRefList be the set containing each object o of class
1723 # crossRef such that o is a child of the CN=Partitions child of the
1724 # config NC
1726 # FOR each crossRef object cr in crossRefList
1727 # IF cr!enabled has a value and is false, or if FLAG_CR_NTDS_NC
1728 # is clear in cr!systemFlags, skip cr.
1729 # LET g be the GRAPH return of SetupGraph()
1734 continue
1737 continue
1741 # Create nTDSConnection objects, routing replication traffic
1742 # around "failed" DCs.
1754 # One or more failed DCs preclude use of the ideal NC
1755 # replica graph. Add connections for the ideal graph.
1758 return all_connected
1761 """Generate the inter-site KCC replica graph and nTDSConnections
1763 As per MS-ADTS 6.2.2.3.
1765 If self.readonly is False, the connections are added to self.samdb.
1767 Produces self.kept_connections which is a set of NTDS
1768 Connections that should be kept during subsequent pruning
1769 process.
1771 After this has run, all sites should be connected in a minimum
1772 spanning tree.
1774 :param ping: An oracle function of remote site availability
1775 :return (True or False): (True) if the produced NC replica
1776 graph connects all sites that need to be connected
1777 """
1779 # Retrieve my DSA
1786 # Determine who is the ISTG
1792 # Test whether local site has topology disabled
1795 all_connected)
1796 return all_connected
1800 all_connected)
1801 return all_connected
1805 # For each NC with an NC replica that "should be present" on the
1806 # local DC or "is present" on any DC in the same site as the
1807 # local DC, the KCC constructs a site graph--a precursor to an NC
1808 # replica graph. The site connectivity for a site graph is defined
1809 # by objects of class interSiteTransport, siteLink, and
1810 # siteLinkBridge in the config NC.
1815 return all_connected
1817 # This function currently does no actions. The reason being that we cannot
1818 # perform modifies in this way on the RODC.
1820 """Updates the RODC NTFRS connection object.
1822 If the local DSA is not an RODC, this does nothing.
1823 """
1825 return
1827 # Given an nTDSConnection object cn1, such that cn1.options contains
1828 # NTDSCONN_OPT_RODC_TOPOLOGY, and another nTDSConnection object cn2,
1829 # does not contain NTDSCONN_OPT_RODC_TOPOLOGY, modify cn1 to ensure
1830 # that the following is true:
1831 #
1832 # cn1.fromServer = cn2.fromServer
1833 # cn1.schedule = cn2.schedule
1834 #
1835 # If no such cn2 can be found, cn1 is not modified.
1836 # If no such cn1 can be found, nothing is modified by this task.
1843 # XXX here we are dealing with multiple RODC_TOPO connections,
1844 # if they exist. It is not clear whether the spec means that
1845 # or if it ever arises.
1856 """Find the maximum number of edges directed to an intrasite node
1858 The KCC does not create more than 50 edges directed to a
1859 single DC. To optimize replication, we compute that each node
1860 should have n+2 total edges directed to it such that (n) is
1861 the smallest non-negative integer satisfying
1862 (node_count <= 2*(n*n) + 6*n + 7)
1864 (If the number of edges is m (i.e. n + 2), that is the same as
1865 2 * m*m - 2 * m + 3). We think in terms of n because that is
1866 the number of extra connections over the double directed ring
1867 that exists by default.
1869 edges n nodecount
1870 2 0 7
1871 3 1 15
1872 4 2 27
1873 5 3 43
1874 ...
1875 50 48 4903
1877 :param node_count: total number of nodes in the replica graph
1879 The intention is that there should be no more than 3 hops
1880 between any two DSAs at a site. With up to 7 nodes the 2 edges
1881 of the ring are enough; any configuration of extra edges with
1882 8 nodes will be enough. It is less clear that the 3 hop
1883 guarantee holds at e.g. 15 nodes in degenerate cases, but
1884 those are quite unlikely given the extra edges are randomly
1885 arranged.
1887 :param node_count: the number of nodes in the site
1888 "return: The desired maximum number of connections
1889 """
1893 break
1897 return n
1902 """Create an intrasite graph using given parameters
1904 This might be called a number of times per site with different
1905 parameters.
1907 Based on [MS-ADTS] 6.2.2.2
1909 :param site_local: site for which we are working
1910 :param dc_local: local DC that potentially needs a replica
1911 :param nc_x: naming context (x) that we are testing if it
1912 "should be present" on the local DC
1913 :param gc_only: Boolean - only consider global catalog servers
1914 :param detect_stale: Boolean - check whether links seems down
1915 :return: None
1916 """
1917 # We're using the MS notation names here to allow
1918 # correlation back to the published algorithm.
1919 #
1920 # nc_x - naming context (x) that we are testing if it
1921 # "should be present" on the local DC
1922 # f_of_x - replica (f) found on a DC (s) for NC (x)
1923 # dc_s - DC where f_of_x replica was found
1924 # dc_local - local DC that potentially needs a replica
1925 # (f_of_x)
1926 # r_list - replica list R
1927 # p_of_x - replica (p) is partial and found on a DC (s)
1928 # for NC (x)
1929 # l_of_x - replica (l) is the local replica for NC (x)
1930 # that should appear on the local DC
1931 # r_len = is length of replica list |R|
1932 #
1933 # If the DSA doesn't need a replica for this
1934 # partition (NC x) then continue
1949 return
1951 # Create a NCReplica that matches what the local replica
1952 # should say. We'll use this below in our r_list
1961 # Add this replica that "should be present" to the
1962 # needed replica table for this DSA
1965 # Replica list
1966 #
1967 # Let R be a sequence containing each writable replica f of x
1968 # such that f "is present" on a DC s satisfying the following
1969 # criteria:
1970 #
1971 # * s is a writable DC other than the local DC.
1972 #
1973 # * s is in the same site as the local DC.
1974 #
1975 # * If x is a read-only full replica and x is a domain NC,
1976 # then the DC's functional level is at least
1977 # DS_BEHAVIOR_WIN2008.
1978 #
1979 # * Bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set
1980 # in the options attribute of the site settings object for
1981 # the local DC's site, or no tuple z exists in the
1982 # kCCFailedLinks or kCCFailedConnections variables such
1983 # that z.UUIDDsa is the objectGUID of the nTDSDSA object
1984 # for s, z.FailureCount > 0, and the current time -
1985 # z.TimeFirstFailure > 2 hours.
1987 r_list = []
1989 # We'll loop thru all the DSAs looking for
1990 # writeable NC replicas that match the naming
1991 # context dn for (nc_x)
1992 #
1994 # If this partition (nc_x) doesn't appear as a
1995 # replica (f_of_x) on (dc_s) then continue
1997 continue
1999 # Pull out the NCReplica (f) of (x) with the dn
2000 # that matches NC (x) we are examining.
2003 # Replica (f) of NC (x) must be writable
2005 continue
2007 # Replica (f) of NC (x) must satisfy the
2008 # "is present" criteria for DC (s) that
2009 # it was found on
2011 continue
2013 # DC (s) must be a writable DSA other than
2014 # my local DC. In other words we'd only replicate
2015 # from other writable DC
2017 continue
2019 # Certain replica graphs are produced only
2020 # for global catalogs, so test against
2021 # method input parameter
2023 continue
2025 # DC (s) must be in the same site as the local DC
2026 # as this is the intra-site algorithm. This is
2027 # handled by virtue of placing DSAs in per
2028 # site objects (see enclosing for() loop)
2030 # If NC (x) is intended to be read-only full replica
2031 # for a domain NC on the target DC then the source
2032 # DC should have functional level at minimum WIN2008
2033 #
2034 # Effectively we're saying that in order to replicate
2035 # to a targeted RODC (which was introduced in Windows 2008)
2036 # then we have to replicate from a DC that is also minimally
2037 # at that level.
2038 #
2039 # You can also see this requirement in the MS special
2040 # considerations for RODC which state that to deploy
2041 # an RODC, at least one writable domain controller in
2042 # the domain must be running Windows Server 2008
2045 continue
2047 # If we haven't been told to turn off stale connection
2048 # detection and this dsa has a stale connection then
2049 # continue
2051 continue
2053 # Replica meets criteria. Add it to table indexed
2054 # by the GUID of the DC that it appears on
2057 # If a partial (not full) replica of NC (x) "should be present"
2058 # on the local DC, append to R each partial replica (p of x)
2059 # such that p "is present" on a DC satisfying the same
2060 # criteria defined above for full replica DCs.
2061 #
2062 # XXX This loop and the previous one differ only in whether
2063 # the replica is partial or not. here we only accept partial
2064 # (because we're partial); before we only accepted full. Order
2065 # doen't matter (the list is sorted a few lines down) so these
2066 # loops could easily be merged. Or this could be a helper
2067 # function.
2070 # Now we loop thru all the DSAs looking for
2071 # partial NC replicas that match the naming
2072 # context dn for (NC x)
2075 # If this partition NC (x) doesn't appear as a
2076 # replica (p) of NC (x) on the dsa DC (s) then
2077 # continue
2079 continue
2081 # Pull out the NCReplica with the dn that
2082 # matches NC (x) we are examining.
2085 # Replica (p) of NC (x) must be partial
2087 continue
2089 # Replica (p) of NC (x) must satisfy the
2090 # "is present" criteria for DC (s) that
2091 # it was found on
2093 continue
2095 # DC (s) must be a writable DSA other than
2096 # my DSA. In other words we'd only replicate
2097 # from other writable DSA
2099 continue
2101 # Certain replica graphs are produced only
2102 # for global catalogs, so test against
2103 # method input parameter
2105 continue
2107 # If we haven't been told to turn off stale connection
2108 # detection and this dsa has a stale connection then
2109 # continue
2111 continue
2113 # Replica meets criteria. Add it to table indexed
2114 # by the GUID of the DSA that it appears on
2117 # Append to R the NC replica that "should be present"
2118 # on the local DC
2126 # Add a node for each r_list element to the replica graph
2127 graph_list = []
2132 # For each r(i) from (0 <= i < |R|-1)
2135 # Add an edge from r(i) to r(i+1) if r(i) is a full
2136 # replica or r(i+1) is a partial replica
2140 # Add an edge from r(i+1) to r(i) if r(i+1) is a full
2141 # replica or ri is a partial replica.
2146 # Add an edge from r|R|-1 to r0 if r|R|-1 is a full replica
2147 # or r0 is a partial replica.
2151 # Add an edge from r0 to r|R|-1 if r0 is a full replica or
2152 # r|R|-1 is a partial replica.
2162 dot_edges = []
2187 rw_dot_vertices,
2196 # For each existing nTDSConnection object implying an edge
2197 # from rj of R to ri such that j != i, an edge from rj to ri
2198 # is not already in the graph, and the total edges directed
2199 # to ri is less than n+2, the KCC adds that edge to the graph.
2211 # To optimize replication latency in sites with many NC
2212 # replicas, the KCC adds new edges directed to ri to bring
2213 # the total edges to n+2, where the NC replica rk of R
2214 # from which the edge is directed is chosen at random such
2215 # that k != i and an edge from rk to ri is not already in
2216 # the graph.
2217 #
2218 # Note that the KCC tech ref does not give a number for
2219 # the definition of "sites with many NC replicas". At a
2220 # bare minimum to satisfy n+2 edges directed at a node we
2221 # have to have at least three replicas in |R| (i.e. if n
2222 # is zero then at least replicas from two other graph
2223 # nodes may direct edges to us).
2247 # Print the graph node in debug mode
2250 # For each edge directed to the local DC, ensure a nTDSConnection
2251 # points to us that satisfies the KCC criteria
2257 dot_edges = []
2282 rw_dot_vertices,
2292 """Generate the intrasite KCC connections
2294 As per MS-ADTS 6.2.2.2.
2296 If self.readonly is False, the connections are added to self.samdb.
2298 After this call, all DCs in each site with more than 3 DCs
2299 should be connected in a bidirectional ring. If a site has 2
2300 DCs, they will bidirectionally connected. Sites with many DCs
2301 may have arbitrary extra connections.
2303 :return: None
2304 """
2309 # Test whether local site has topology disabled
2312 return
2319 # Loop thru all the partitions, with gc_only False
2322 detect_stale)
2327 # If the DC is a GC server, the KCC constructs an additional NC
2328 # replica graph (and creates nTDSConnection objects) for the
2329 # config NC as above, except that only NC replicas that "are present"
2330 # on GC servers are added to R.
2335 # Do it again, with gc_only True
2339 detect_stale)
2341 # The DC repeats the NC replica graph computation and nTDSConnection
2342 # creation for each of the NC replica graphs, this time assuming
2343 # that no DC has failed. It does so by re-executing the steps as
2344 # if the bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED were
2345 # set in the options attribute of the site settings object for
2346 # the local DC's site. (ie. we set "detec_stale" flag to False)
2351 # Loop thru all the partitions.
2356 # If the DC is a GC server, the KCC constructs an additional NC
2357 # replica graph (and creates nTDSConnection objects) for the
2358 # config NC as above, except that only NC replicas that "are present"
2359 # on GC servers are added to R.
2372 """Compile a comprehensive list of DSA DNs
2374 These are all the DSAs on all the sites that KCC would be
2375 dealing with.
2377 This method is not idempotent and may not work correctly in
2378 sequence with KCC.run().
2380 :return: a list of DSA DN strings.
2381 """
2389 dsas = []
2393 return dsas
2396 """Load the database using an url, loadparm, and credentials
2398 If force is False, the samdb won't be reloaded if it already
2399 exists.
2401 :param dburl: a database url.
2402 :param lp: a loadparm object.
2403 :param creds: a Credentials object.
2404 :param force: a boolean indicating whether to overwrite.
2406 """
2417 """Helper function to plot and verify NTDSConnections
2419 :param basename: an identifying string to use in filenames and logs.
2420 :param verify_properties: properties to verify (default empty)
2421 """
2424 return
2426 dot_edges = []
2427 dot_vertices = []
2428 edge_colours = []
2429 vertex_colours = []
2454 """Perform a KCC run, possibly updating repsFrom topology
2456 :param dburl: url of the database to work with.
2457 :param lp: a loadparm object.
2458 :param creds: a Credentials object.
2459 :param forced_local_dsa: pretend to be on the DSA with this dn_str
2460 :param forget_local_links: calculate as if no connections existed
2461 (boolean, default False)
2462 :param forget_intersite_links: calculate with only intrasite connection
2463 (boolean, default False)
2464 :param attempt_live_connections: attempt to connect to remote DSAs to
2465 determine link availability (boolean, default False)
2466 :return: 1 on error, 0 otherwise
2467 """
2474 forced_local_dsa)
2477 # Setup
2487 guid_to_dnstr = {}
2495 dot_edges = []
2506 dot_edges = []
2522 dot_edges = []
2553 # Encapsulates lp and creds in a function that
2554 # attempts connections to remote DSAs.
2559 return False
2560 return True
2563 # These are the published steps (in order) for the
2564 # MS-TECH description of the KCC algorithm ([MS-ADTS] 6.2.2)
2566 # Step 1
2569 # Step 2
2572 # Step 3
2575 # Step 4
2578 # Step 5
2581 # Step 6
2584 # Step 7
2594 dot_edges = []
2595 edge_colors = []
2610 dot_edges = []
2627 raise
2632 """Import relevant objects and attributes from an LDIF file.
2634 The point of this function is to allow a programmer/debugger to
2635 import an LDIF file with non-security relevent information that
2636 was previously extracted from a DC database. The LDIF file is used
2637 to create a temporary abbreviated database. The KCC algorithm can
2638 then run against this abbreviated database for debug or test
2639 verification that the topology generated is computationally the
2640 same between different OSes and algorithms.
2642 :param dburl: path to the temporary abbreviated db to create
2643 :param lp: a loadparm object.
2644 :param ldif_file: path to the ldif file to import
2645 :param forced_local_dsa: perform KCC from this DSA's point of view
2646 :return: zero on success, 1 on error
2647 """
2650 forced_local_dsa)
2657 """Save KCC relevant details to an ldif file
2659 The point of this function is to allow a programmer/debugger to
2660 extract an LDIF file with non-security relevent information from
2661 a DC database. The LDIF file can then be used to "import" via
2662 the import_ldif() function this file into a temporary abbreviated
2663 database. The KCC algorithm can then run against this abbreviated
2664 database for debug or test verification that the topology generated
2665 is computationally the same between different OSes and algorithms.
2667 :param dburl: LDAP database URL to extract info from
2668 :param lp: a loadparm object.
2669 :param cred: a Credentials object.
2670 :param ldif_file: output LDIF file name to create
2671 :return: zero on success, 1 on error
2672 """
2675 ldif_file)