| blob | 125bc11ed86fba2f4e91b12ef2538531ecda359b |
1 #!/usr/bin/env python
2 #
3 # Compute our KCC topology
4 #
5 # Copyright (C) Dave Craft 2011
6 # Copyright (C) Andrew Bartlett 2015
7 #
8 # Andrew Bartlett's alleged work performed by his underlings Douglas
9 # Bagnall and Garming Sam.
10 #
11 # This program is free software; you can redistribute it and/or modify
12 # it under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
15 #
16 # This program is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with this program. If not, see <http://www.gnu.org/licenses/>.
24 import os
25 import sys
26 import random
28 # ensure we get messages out immediately, so they get in the samba logs,
29 # and don't get swallowed by a timeout
32 # forcing GMT avoids a problem in some timezones with kerberos. Both MIT
33 # heimdal can get mutual authentication errors due to the 24 second difference
34 # between UTC and GMT when using some zone files (eg. the PDT zone from
35 # the US)
38 # Find right directory when running from source tree
41 import optparse
42 import logging
43 import itertools
44 import heapq
45 import time
49 Ldb,
50 ldb,
51 dsdb,
52 read_and_sub_file,
53 drs_utils,
54 nttime2unix)
61 """The Knowledge Consistency Checker class.
63 A container for objects and methods allowing a run of the KCC. Produces a
64 set of connections in the samdb for which the Distributed Replication
65 Service can then utilize to replicate naming contexts
66 """
68 """Initializes the partitions class which can hold
69 our local DCs partitions or all the partitions in
70 the forest
71 """
77 # TODO: These should be backed by a 'permanent' store so that when
78 # calling DRSGetReplInfo with DS_REPL_INFO_KCC_DSA_CONNECT_FAILURES,
79 # the failure information can be returned
83 # Used in inter-site topology computation. A list
84 # of connections (by NTDSConnection object) that are
85 # to be kept when pruning un-needed NTDS Connections
98 """Loads the inter-site transport objects for Sites
100 ::returns: Raises an Exception on error
101 """
109 estr)
118 # already loaded
120 continue
122 # Assign this transport to table
123 # and index by guid
127 """Loads the inter-site siteLink objects
129 ::returns: Raises an Exception on error
130 """
142 # already loaded
144 continue
150 # Assign this siteLink to table
151 # and index by dn
155 """Loads the Site class for the local DSA
157 ::returns: Raises an Exception on error
158 """
170 """Discover all sites and instantiate and load each
171 NTDS Site settings.
173 ::returns: Raises an Exception on error
174 """
189 # already loaded
191 continue
196 """Discover my nTDSDSA dn thru the rootDSE entry
198 ::returns: Raises an Exception on error.
199 """
209 # We work around the failure above by looking at the
210 # dsServiceName that was put in the fake rootdse by
211 # the --exportldif, rather than the
212 # samdb.get_ntds_GUID(). The disadvantage is that this
213 # mode requires we modify the @ROOTDSE dnq to support
214 # --forced-local-dsa
235 """Discover all NCs thru the Partitions dn and
236 instantiate and load the NCs.
238 Each NC is inserted into the part_table by partition
239 dn string (not the nCName dn string)
241 ::returns: Raises an Exception on error
242 """
254 # already loaded
256 continue
264 """Enumerate all loaded partitions and DSAs in local
265 site and test if NC should be present as replica
266 """
274 """Instead of NULL link with failure_count = 0, the tuple is simply removed"""
276 # LINKS: Refresh failed links
280 # For every possible connection to replicate
284 continue
295 dns_name)
297 #elif f.failure_count == 0:
298 # f.failure_count = failure_count
299 # f.time_first_failure = time_first_failure
300 # f.last_result = last_result
306 # CONNECTIONS: Refresh failed connections
311 # Failed connection is no longer failing
314 # Failed connection still failing
317 # Remove the restored connections from the failed connections
321 """Returns False if no tuple z exists in the kCCFailedLinks or
322 kCCFailedConnections variables such that z.UUIDDsa is the
323 objectGUID of the target dsa, z.FailureCount > 0, and
324 the current time - z.TimeFirstFailure > 2 hours.
325 """
326 # Returns True if tuple z exists...
329 # failure_count should be > 0, but check anyways
332 # TODO guard against future
337 # Perform calculation in seconds
339 return True
341 # TODO connections
343 return False
345 # TODO: This should be backed by some form of local database
347 # Remove all tuples in kcc_failed_links where failure count = 0
348 # In this implementation, this should never happen.
350 # Remove all connections which were not used this run or connections
351 # that became active during this run.
352 pass
355 """Removes unneeded NTDS Connections after computation
356 of KCC intra and inter-site topology has finished.
357 """
360 # Loop thru connections
366 continue
368 # Get the source DSA no matter what site
371 # Check if the DSA is in our site
377 # Given an nTDSConnection object cn, if the DC with the
378 # nTDSDSA object dc that is the parent object of cn and
379 # the DC with the nTDSDA object referenced by cn!fromServer
380 # are in the same site, the KCC on dc deletes cn if all of
381 # the following are true:
382 #
383 # Bit NTDSCONN_OPT_IS_GENERATED is clear in cn!options.
384 #
385 # No site settings object s exists for the local DC's site, or
386 # bit NTDSSETTINGS_OPT_IS_TOPL_CLEANUP_DISABLED is clear in
387 # s!options.
388 #
389 # Another nTDSConnection object cn2 exists such that cn and
390 # cn2 have the same parent object, cn!fromServer = cn2!fromServer,
391 # and either
392 #
393 # cn!whenCreated < cn2!whenCreated
394 #
395 # cn!whenCreated = cn2!whenCreated and
396 # cn!objectGUID < cn2!objectGUID
397 #
398 # Bit NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options
401 continue
404 continue
406 # Loop thru connections looking for a duplicate that
407 # fulfills the previous criteria
412 continue
416 continue
418 # If the NTDS Connections has a different
419 # fromServer field then no match
421 continue
423 #XXX GUID comparison
429 break
434 # Given an nTDSConnection object cn, if the DC with the nTDSDSA
435 # object dc that is the parent object of cn and the DC with
436 # the nTDSDSA object referenced by cn!fromServer are in
437 # different sites, a KCC acting as an ISTG in dc's site
438 # deletes cn if all of the following are true:
439 #
440 # Bit NTDSCONN_OPT_IS_GENERATED is clear in cn!options.
441 #
442 # cn!fromServer references an nTDSDSA object for a DC
443 # in a site other than the local DC's site.
444 #
445 # The keepConnections sequence returned by
446 # CreateIntersiteConnections() does not contain
447 # cn!objectGUID, or cn is "superseded by" (see below)
448 # another nTDSConnection cn2 and keepConnections
449 # contains cn2!objectGUID.
450 #
451 # The return value of CreateIntersiteConnections()
452 # was true.
453 #
454 # Bit NTDSCONN_OPT_RODC_TOPOLOGY is clear in
455 # cn!options
456 #
460 continue
463 continue
465 # TODO
466 # We are directly using this connection in intersite or
467 # we are using a connection which can supersede this one.
468 #
469 # MS-ADTS 6.2.2.4 - Removing Unnecessary Connections does not
470 # appear to be correct.
471 #
472 # 1. cn!fromServer and cn!parent appear inconsistent with no cn2
473 # 2. The repsFrom do not imply each other
474 #
476 continue
478 # This is the result of create_intersite_connections
480 continue
493 # Peform deletion from our tables but perform
494 # no database modification
497 # Commit any modified connections
501 """Given a DSA guid string, consule all sites looking
502 for the corresponding DSA and return it.
503 """
507 return dsa
508 return None
511 """Given a DSA dn string, consule all sites looking
512 for the corresponding DSA and return it.
513 """
517 return dsa
518 return None
521 """Update t_repsFrom if necessary to satisfy requirements. Such
522 updates are typically required when the IDL_DRSGetNCChanges
523 server has moved from one site to another--for example, to
524 enable compression when the server is moved from the
525 client's site to another site.
527 :param n_rep: NC replica we need
528 :param t_repsFrom: repsFrom tuple to modify
529 :param s_rep: NC replica at source DSA
530 :param s_dsa: source DSA
531 :param cn_conn: Local DSA NTDSConnection child
533 ::returns: (update) bit field containing which portion of the
534 repsFrom was modified. This bit field is suitable as input
535 to IDL_DRSReplicaModify ulModifyFields element, as it consists
536 of these bits:
537 drsuapi.DRSUAPI_DRS_UPDATE_SCHEDULE
538 drsuapi.DRSUAPI_DRS_UPDATE_FLAGS
539 drsuapi.DRSUAPI_DRS_UPDATE_ADDRESS
540 """
551 # if schedule doesn't match then update and modify
555 # Bit DRS_PER_SYNC is set in replicaFlags if and only
556 # if nTDSConnection schedule has a value v that specifies
557 # scheduled replication is to be performed at least once
558 # per week.
565 # Bit DRS_INIT_SYNC is set in t.replicaFlags if and only
566 # if the source DSA and the local DC's nTDSDSA object are
567 # in the same site or source dsa is the FSMO role owner
568 # of one or more FSMO roles in the NC replica.
575 # If bit NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT is set in
576 # cn!options, bit DRS_NEVER_NOTIFY is set in t.replicaFlags
577 # if and only if bit NTDSCONN_OPT_USE_NOTIFY is clear in
578 # cn!options. Otherwise, bit DRS_NEVER_NOTIFY is set in
579 # t.replicaFlags if and only if s and the local DC's
580 # nTDSDSA object are in different sites.
595 # Bit DRS_USE_COMPRESSION is set in t.replicaFlags if
596 # and only if s and the local DC's nTDSDSA object are
597 # not in the same site and the
598 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION bit is
599 # clear in cn!options
608 # Bit DRS_TWOWAY_SYNC is set in t.replicaFlags if and only
609 # if bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options.
616 # Bits DRS_DISABLE_AUTO_SYNC and DRS_DISABLE_PERIODIC_SYNC are
617 # set in t.replicaFlags if and only if cn!enabledConnection = false.
623 drsuapi.DRSUAPI_DRS_DISABLE_AUTO_SYNC
628 drsuapi.DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
630 # If s and the local DC's nTDSDSA object are in the same site,
631 # cn!transportType has no value, or the RDN of cn!transportType
632 # is CN=IP:
633 #
634 # Bit DRS_MAIL_REP in t.replicaFlags is clear.
635 #
636 # t.uuidTransport = NULL GUID.
637 #
638 # t.uuidDsa = The GUID-based DNS name of s.
639 #
640 # Otherwise:
641 #
642 # Bit DRS_MAIL_REP in t.replicaFlags is set.
643 #
644 # If x is the object with dsname cn!transportType,
645 # t.uuidTransport = x!objectGUID.
646 #
647 # Let a be the attribute identified by
648 # x!transportAddressAttribute. If a is
649 # the dNSHostName attribute, t.uuidDsa = the GUID-based
650 # DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
651 #
652 # It appears that the first statement i.e.
653 #
654 # "If s and the local DC's nTDSDSA object are in the same
655 # site, cn!transportType has no value, or the RDN of
656 # cn!transportType is CN=IP:"
657 #
658 # could be a slightly tighter statement if it had an "or"
659 # between each condition. I believe this should
660 # be interpreted as:
661 #
662 # IF (same-site) OR (no-value) OR (type-ip)
663 #
664 # because IP should be the primary transport mechanism
665 # (even in inter-site) and the absense of the transportType
666 # attribute should always imply IP no matter if its multi-site
667 #
668 # NOTE MS-TECH INCORRECT:
669 #
670 # All indications point to these statements above being
671 # incorrectly stated:
672 #
673 # t.uuidDsa = The GUID-based DNS name of s.
674 #
675 # Let a be the attribute identified by
676 # x!transportAddressAttribute. If a is
677 # the dNSHostName attribute, t.uuidDsa = the GUID-based
678 # DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
679 #
680 # because the uuidDSA is a GUID and not a GUID-base DNS
681 # name. Nor can uuidDsa hold (s!parent)!a if not
682 # dNSHostName. What should have been said is:
683 #
684 # t.naDsa = The GUID-based DNS name of s
685 #
686 # That would also be correct if transportAddressAttribute
687 # were "mailAddress" because (naDsa) can also correctly
688 # hold the SMTP ISM service address.
689 #
692 # We're not currently supporting SMTP replication
693 # so is_smtp_replication_available() is currently
694 # always returning False
709 # See (NOTE MS-TECH INCORRECT) above
727 # We have a transport type but its not an
728 # object in the database
738 # See (NOTE MS-TECH INCORRECT) above
754 # MS tech specification says we retrieve the named
755 # attribute in "transportAddressAttribute" from the parent of
756 # the DSA object
771 # See (NOTE MS-TECH INCORRECT) above
789 """Given a NC replica and NTDS Connection, determine if the connection
790 implies a repsFrom tuple should be present from the source DSA listed
791 in the connection to the naming context
793 :param n_rep: NC replica
794 :param conn: NTDS Connection
795 ::returns (True || False), source DSA:
796 """
797 # NTDS Connection must satisfy all the following criteria
798 # to imply a repsFrom tuple is needed:
799 #
800 # cn!enabledConnection = true.
801 # cn!options does not contain NTDSCONN_OPT_RODC_TOPOLOGY.
802 # cn!fromServer references an nTDSDSA object.
811 # No DSA matching this source DN string?
815 # To imply a repsFrom tuple is needed, each of these
816 # must be True:
817 #
818 # An NC replica of the NC "is present" on the DC to
819 # which the nTDSDSA object referenced by cn!fromServer
820 # corresponds.
821 #
822 # An NC replica of the NC "should be present" on
823 # the local DC
829 # To imply a repsFrom tuple is needed, each of these
830 # must be True:
831 #
832 # The NC replica on the DC referenced by cn!fromServer is
833 # a writable replica or the NC replica that "should be
834 # present" on the local DC is a partial replica.
835 #
836 # The NC is not a domain NC, the NC replica that
837 # "should be present" on the local DC is a partial
838 # replica, cn!transportType has no value, or
839 # cn!transportType has an RDN of CN=IP.
840 #
853 """This function adjusts values of repsFrom abstract attributes of NC
854 replicas on the local DC to match those implied by
855 nTDSConnection objects.
856 [MS-ADTS] 6.2.2.5
857 """
860 return
866 # Filled in with replicas we currently have that need deleting
869 # We're using the MS notation names here to allow
870 # correlation back to the published algorithm.
871 #
872 # n_rep - NC replica (n)
873 # t_repsFrom - tuple (t) in n!repsFrom
874 # s_dsa - Source DSA of the replica. Defined as nTDSDSA
875 # object (s) such that (s!objectGUID = t.uuidDsa)
876 # In our IDL representation of repsFrom the (uuidDsa)
877 # attribute is called (source_dsa_obj_guid)
878 # cn_conn - (cn) is nTDSConnection object and child of the local DC's
879 # nTDSDSA object and (cn!fromServer = s)
880 # s_rep - source DSA replica of n
881 #
882 # If we have the replica and its not needed
883 # then we add it to the "to be deleted" list.
895 # Now perform the scan of replicas we'll need
896 # and compare any current repsFrom against the
897 # connections
900 # load any repsFrom and fsmo roles as we'll
901 # need them during connection translation
905 # Loop thru the existing repsFrom tupples (if any)
908 # for each tuple t in n!repsFrom, let s be the nTDSDSA
909 # object such that s!objectGUID = t.uuidDsa
913 # Source dsa is gone from config (strange)
914 # so cleanup stale repsFrom for unlisted DSA
917 guidstr)
919 continue
923 # Retrieve my DSAs connection object (if it exists)
924 # that specifies the fromServer equivalent to
925 # the DSA that is specified in the repsFrom source
928 # Let (cn) be the nTDSConnection object such that (cn)
929 # is a child of the local DC's nTDSDSA object and
930 # (cn!fromServer = s) and (cn!options) does not contain
931 # NTDSCONN_OPT_RODC_TOPOLOGY or NULL if no such (cn) exists.
935 # KCC removes this repsFrom tuple if any of the following
936 # is true:
937 # cn = NULL.
938 #
939 # No NC replica of the NC "is present" on DSA that
940 # would be source of replica
941 #
942 # A writable replica of the NC "should be present" on
943 # the local DC, but a partial replica "is present" on
944 # the source DSA
952 continue
954 # If the KCC did not remove t from n!repsFrom, it updates t
957 # Loop thru connections and add implied repsFrom tuples
958 # for each NTDSConnection under our local DSA if the
959 # repsFrom is not already present
964 continue
966 # Loop thru the existing repsFrom tupples (if any) and
967 # if we already have a tuple for this connection then
968 # no need to proceed to add. It will have been changed
969 # to have the correct attributes above
975 break
978 continue
980 # Create a new RepsFromTo and proceed to modify
981 # it according to specification
990 # Add to our NC repsFrom as this is newly computed
995 # Display any to be deleted or modified repsFrom
1003 # Peform deletion from our tables but perform
1004 # no database modification
1007 # Commit any modified repsFrom to the NC replica
1011 """Determines if the connection is meant to be kept during the
1012 pruning of unneeded connections operation.
1014 Consults the keep_connection_list[] which was built during
1015 intersite NC replica graph computation.
1017 ::returns (True or False): if (True) connection should not be pruned
1018 """
1020 return True
1021 return False
1024 """Merge of kCCFailedLinks and kCCFailedLinks from bridgeheads.
1025 The KCC on a writable DC attempts to merge the link and connection
1026 failure information from bridgehead DCs in its own site to help it
1027 identify failed bridgehead DCs.
1028 """
1029 # MS-TECH Ref 6.2.2.3.2 Merge of kCCFailedLinks and kCCFailedLinks
1030 # from Bridgeheads
1032 # 1. Queries every bridgehead server in your site (other than yourself)
1033 # 2. For every ntDSConnection that references a server in a different
1034 # site merge all the failure info
1035 #
1036 # XXX - not implemented yet
1039 """Set up a GRAPH, populated with a VERTEX for each site
1040 object, a MULTIEDGE for each siteLink object, and a
1041 MUTLIEDGESET for each siteLinkBridge object (or implied
1042 siteLinkBridge).
1044 ::returns: a new graph
1045 """
1046 guid_to_vertex = {}
1047 # Create graph
1049 # Add vertices
1063 # Currently only ever "IP"
1069 # If 'Bridge all site links' is enabled and Win2k3 bridges required is not set
1070 # NTDSTRANSPORT_OPT_BRIDGES_REQUIRED 0x00000002
1071 # No documentation for this however, ntdsapi.h appears to have listed:
1072 # NTDSSETTINGS_OPT_W2K3_BRIDGES_REQUIRED = 0x00001000
1077 # TODO get all site link bridges
1080 site_link_bridge))
1084 return g
1087 """Get a bridghead DC.
1089 :param site: site object representing for which a bridgehead
1090 DC is desired.
1091 :param part: crossRef for NC to replicate.
1092 :param transport: interSiteTransport object for replication
1093 traffic.
1094 :param partial_ok: True if a DC containing a partial
1095 replica or a full replica will suffice, False if only
1096 a full replica will suffice.
1097 :param detect_failed: True to detect failed DCs and route
1098 replication traffic around them, False to assume no DC
1099 has failed.
1100 ::returns: dsa object for the bridgehead DC or None
1101 """
1108 return None
1116 """Get all bridghead DCs satisfying the given criteria
1118 :param site: site object representing the site for which
1119 bridgehead DCs are desired.
1120 :param part: partition for NC to replicate.
1121 :param transport: interSiteTransport object for
1122 replication traffic.
1123 :param partial_ok: True if a DC containing a partial
1124 replica or a full replica will suffice, False if
1125 only a full replica will suffice.
1126 :param detect_ok: True to detect failed DCs and route
1127 replication traffic around them, FALSE to assume
1128 no DC has failed.
1129 ::returns: list of dsa object for available bridgehead
1130 DCs or None
1131 """
1133 bhs = []
1142 # IF t!bridgeheadServerListBL has one or more values and
1143 # t!bridgeheadServerListBL does not contain a reference
1144 # to the parent object of dc then skip dc
1147 continue
1149 # IF dc is in the same site as the local DC
1150 # IF a replica of cr!nCName is not in the set of NC replicas
1151 # that "should be present" on dc or a partial replica of the
1152 # NC "should be present" but partialReplicasOkay = FALSE
1153 # Skip dc
1157 continue
1159 # ELSE
1160 # IF an NC replica of cr!nCName is not in the set of NC
1161 # replicas that "are present" on dc or a partial replica of
1162 # the NC "is present" but partialReplicasOkay = FALSE
1163 # Skip dc
1167 continue
1169 # IF AmIRODC() and cr!nCName corresponds to default NC then
1170 # Let dsaobj be the nTDSDSA object of the dc
1171 # IF dsaobj.msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
1172 # Skip dc
1175 continue
1177 # IF t!name != "IP" and the parent object of dc has no value for
1178 # the attribute specified by t!transportAddressAttribute
1179 # Skip dc
1181 # MS tech specification says we retrieve the named
1182 # attribute in "transportAddressAttribute" from the parent
1183 # of the DSA object
1190 continue
1194 continue
1198 # IF BridgeheadDCFailed(dc!objectGUID, detectFailedDCs) = TRUE
1199 # Skip dc
1201 continue
1206 # IF bit NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED is set in
1207 # s!options
1208 # SORT bhs such that all GC servers precede DCs that are not GC
1209 # servers, and otherwise by ascending objectGUID
1210 # ELSE
1211 # SORT bhs in a random order
1217 return bhs
1221 """Determine whether a given DC is known to be in a failed state
1222 ::returns: True if and only if the DC should be considered failed
1223 """
1224 # NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED = 0x00000008
1225 # When DETECT_STALE_DISABLED, we can never know of if it's in a failed state
1227 return False
1229 return True
1236 """Create an nTDSConnection object with the given parameters
1237 if one does not already exist.
1239 :param part: crossRef object for the NC to replicate.
1240 :param rbh: nTDSDSA object for DC to act as the
1241 IDL_DRSGetNCChanges server (which is in a site other
1242 than the local DC's site).
1243 :param rsite: site of the rbh
1244 :param transport: interSiteTransport object for the transport
1245 to use for replication traffic.
1246 :param lbh: nTDSDSA object for DC to act as the
1247 IDL_DRSGetNCChanges client (which is in the local DC's site).
1248 :param lsite: site of the lbh
1249 :param link_opt: Replication parameters (aggregated siteLink options, etc.)
1250 :param link_sched: Schedule specifying the times at which
1251 to begin replicating.
1252 :partial_ok: True if bridgehead DCs containing partial
1253 replicas of the NC are acceptable.
1254 :param detect_failed: True to detect failed DCs and route
1255 replication traffic around them, FALSE to assume no DC
1256 has failed.
1257 """
1261 # MS-TECH says to compute rbhs_avail but then doesn't use it
1262 # rbhs_avail = self.get_all_bridgeheads(rsite, part, transport,
1263 # partial_ok, detect_failed)
1268 # MS-TECH says to compute lbhs_avail but then doesn't use it
1269 # lbhs_avail = self.get_all_bridgeheads(lsite, part, transport,
1270 # partial_ok, detect_failed)
1272 # FOR each nTDSConnection object cn such that the parent of cn is
1273 # a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
1280 break
1283 continue
1285 # IF bit NTDSCONN_OPT_IS_GENERATED is set in cn!options and
1286 # NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options and
1287 # cn!transportType references t
1291 # IF bit NTDSCONN_OPT_USER_OWNED_SCHEDULE is clear in
1292 # cn!options and cn!schedule != sch
1293 # Perform an originating update to set cn!schedule to
1294 # sched
1300 # IF bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1301 # NTDSCONN_OPT_USE_NOTIFY are set in cn
1305 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is clear in
1306 # ri.Options
1307 # Perform an originating update to clear bits
1308 # NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1309 # NTDSCONN_OPT_USE_NOTIFY in cn!options
1316 # ELSE
1319 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in
1320 # ri.Options
1321 # Perform an originating update to set bits
1322 # NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1323 # NTDSCONN_OPT_USE_NOTIFY in cn!options
1331 # IF bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options
1334 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is clear in
1335 # ri.Options
1336 # Perform an originating update to clear bit
1337 # NTDSCONN_OPT_TWOWAY_SYNC in cn!options
1342 # ELSE
1345 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in
1346 # ri.Options
1347 # Perform an originating update to set bit
1348 # NTDSCONN_OPT_TWOWAY_SYNC in cn!options
1354 # IF bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION is set
1355 # in cn!options
1358 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is clear
1359 # in ri.Options
1360 # Perform an originating update to clear bit
1361 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
1362 # cn!options
1366 ~dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
1369 # ELSE
1371 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
1372 # ri.Options
1373 # Perform an originating update to set bit
1374 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
1375 # cn!options
1379 dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
1382 # Display any modified connection
1390 # ENDFOR
1394 # FOR each nTDSConnection object cn such that cn!parent is
1395 # a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
1402 break
1405 continue
1407 # IF (bit NTDSCONN_OPT_IS_GENERATED is clear in cn!options or
1408 # cn!transportType references t) and
1409 # NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options
1414 # LET rguid be the objectGUID of the nTDSDSA object
1415 # referenced by cn!fromServer
1416 # LET lguid be (cn!parent)!objectGUID
1418 # IF BridgeheadDCFailed(rguid, detectFailedDCs) = FALSE and
1419 # BridgeheadDCFailed(lguid, detectFailedDCs) = FALSE
1420 # Increment cValidConnections by 1
1425 # IF keepConnections does not contain cn!objectGUID
1426 # APPEND cn!objectGUID to keepConnections
1430 # ENDFOR
1432 # IF cValidConnections = 0
1435 # LET opt be NTDSCONN_OPT_IS_GENERATED
1438 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in ri.Options
1439 # SET bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1440 # NTDSCONN_OPT_USE_NOTIFY in opt
1445 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in ri.Options
1446 # SET bit NTDSCONN_OPT_TWOWAY_SYNC opt
1450 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
1451 # ri.Options
1452 # SET bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in opt
1457 # Perform an originating update to create a new nTDSConnection
1458 # object cn that is a child of lbh, cn!enabledConnection = TRUE,
1459 # cn!options = opt, cn!transportType is a reference to t,
1460 # cn!fromServer is a reference to rbh, and cn!schedule = sch
1463 # Display any added connection
1472 # APPEND cn!objectGUID to keepConnections
1478 # The docs ([MS-ADTS] 6.2.2.3.4.3) say to use local_vertex
1479 # here and in the, but using vertex seems to make more
1480 # sense. That is, it wants this:
1481 #
1482 #bh = self.get_bridgehead(vertex.site, vertex.part, transport,
1483 # local_vertex.is_black(), detect_failed)
1484 #
1485 # TODO WHY?????
1492 continue
1494 # FLAG_CR_NTDS_DOMAIN 0x00000002
1497 continue
1500 continue
1507 continue
1512 # Add additional transport to allow another run of Dijkstra
1516 return found_failed
1519 """Construct an NC replica graph for the NC identified by
1520 the given crossRef, then create any additional nTDSConnection
1521 objects required.
1523 :param graph: site graph.
1524 :param part: crossRef object for NC.
1525 :param detect_failed: True to detect failed DCs and route
1526 replication traffic around them, False to assume no DC
1527 has failed.
1529 Modifies self.keep_connection_list by adding any connections
1530 deemed to be "in use".
1532 ::returns: (all_connected, found_failed_dc)
1533 (all_connected) True if the resulting NC replica graph
1534 connects all sites that need to be connected.
1535 (found_failed_dc) True if one or more failed DCs were
1536 detected.
1537 """
1544 # XXX - This is a highly abbreviated function from the MS-TECH
1545 # ref. It creates connections between bridgeheads to all
1546 # sites that have appropriate replicas. Thus we are not
1547 # creating a minimum cost spanning tree but instead
1548 # producing a fully connected tree. This should produce
1549 # a full (albeit not optimal cost) replication topology.
1559 # No NC replicas for this NC in the site of the local DC,
1560 # so no nTDSConnection objects need be created
1570 # LET partialReplicaOkay be TRUE if and only if
1571 # localSiteVertex.Color = COLOR.BLACK
1577 # Utilize the IP transport only for now
1581 break
1588 continue
1595 # We don't make connections to our own site as that
1596 # is intrasite topology generator's job
1598 continue
1600 # Determine bridgehead server in remote site
1604 # RODC acts as an BH for itself
1605 # IF AmIRODC() then
1606 # LET lbh be the nTDSDSA object of the local DC
1607 # ELSE
1608 # LET lbh be the result of GetBridgeheadDC(localSiteVertex.ID,
1609 # cr, t, partialReplicaOkay, detectFailedDCs)
1617 # TODO
1636 """Computes an NC replica graph for each NC replica that "should be
1637 present" on the local DC or "is present" on any DC in the same site
1638 as the local DC. For each edge directed to an NC replica on such a
1639 DC from an NC replica on a DC in another site, the KCC creates an
1640 nTDSConnection object to imply that edge if one does not already
1641 exist.
1643 Modifies self.keep_connection_list - A list of nTDSConnection
1644 objects for edges that are directed
1645 to the local DC's site in one or more NC replica graphs.
1647 returns: True if spanning trees were created for all NC replica
1648 graphs, otherwise False.
1649 """
1653 # LET crossRefList be the set containing each object o of class
1654 # crossRef such that o is a child of the CN=Partitions child of the
1655 # config NC
1657 # FOR each crossRef object cr in crossRefList
1658 # IF cr!enabled has a value and is false, or if FLAG_CR_NTDS_NC
1659 # is clear in cr!systemFlags, skip cr.
1660 # LET g be the GRAPH return of SetupGraph()
1665 continue
1668 continue
1672 # Create nTDSConnection objects, routing replication traffic
1673 # around "failed" DCs.
1682 # One or more failed DCs preclude use of the ideal NC
1683 # replica graph. Add connections for the ideal graph.
1686 return all_connected
1689 # Phase 1: Run Dijkstra's to get a list of internal edges, which are
1690 # just the shortest-paths connecting colored vertices
1699 # All con_type in an edge set is the same
1721 # Run dijkstra's algorithm with just the red vertices as seeds
1722 # Seed from the full replicas
1725 # Process edge set
1728 # Run dijkstra's algorithm with red and black vertices as the seeds
1729 # Seed from both full and partial replicas
1732 # Process edge set
1735 # All vertices have root/component as itself
1749 # Phase 2: Run Kruskal's on the internal edges
1752 # This recalculates the cost for the path connecting the closest red vertex
1753 # Ignoring types is fine because NO suboptimal edge should exist in the graph
1755 # Phase 3: Process the output
1765 verify_properties = ('complete', 'connected', 'multi_edge_forest', 'forest', 'directed_double_ring')
1770 # count the components
1773 # This ensures only one-way connections for partial-replicas
1775 edge_list = []
1779 # Three-way edges are no problem here since these were created by
1780 # add_out_edge which only has two endpoints
1793 return edge_list
1796 """The head method for generating the inter-site KCC replica
1797 connection graph and attendant nTDSConnection objects
1798 in the samdb.
1800 Produces self.keep_connection_list[] of NTDS Connections
1801 that should be kept during subsequent pruning process.
1803 ::return (True or False): (True) if the produced NC replica
1804 graph connects all sites that need to be connected
1805 """
1807 # Retrieve my DSA
1814 # Determine who is the ISTG
1820 # Test whether local site has topology disabled
1823 all_connected)
1824 return all_connected
1828 all_connected)
1829 return all_connected
1833 # For each NC with an NC replica that "should be present" on the
1834 # local DC or "is present" on any DC in the same site as the
1835 # local DC, the KCC constructs a site graph--a precursor to an NC
1836 # replica graph. The site connectivity for a site graph is defined
1837 # by objects of class interSiteTransport, siteLink, and
1838 # siteLinkBridge in the config NC.
1843 return all_connected
1846 """Runs when the local DC is an RODC and updates the RODC NTFRS
1847 connection object.
1848 """
1849 # Given an nTDSConnection object cn1, such that cn1.options contains
1850 # NTDSCONN_OPT_RODC_TOPOLOGY, and another nTDSConnection object cn2,
1851 # does not contain NTDSCONN_OPT_RODC_TOPOLOGY, modify cn1 to ensure
1852 # that the following is true:
1853 #
1854 # cn1.fromServer = cn2.fromServer
1855 # cn1.schedule = cn2.schedule
1856 #
1857 # If no such cn2 can be found, cn1 is not modified.
1858 # If no such cn1 can be found, nothing is modified by this task.
1861 return
1864 # Find cn2 - the DRS NTDSConnection
1867 cn2 = con
1868 break
1870 # Find cn1 - the FRS NTDSConnection
1878 # Commit changes to the database
1882 """Returns the maximum number of edges directed to a node in
1883 the intrasite replica graph.
1885 The KCC does not create more
1886 than 50 edges directed to a single DC. To optimize replication,
1887 we compute that each node should have n+2 total edges directed
1888 to it such that (n) is the smallest non-negative integer
1889 satisfying (node_count <= 2*(n*n) + 6*n + 7)
1891 (If the number of edges is m (i.e. n + 2), that is the same as
1892 2 * m*m - 2 * m + 3).
1894 edges n nodecount
1895 2 0 7
1896 3 1 15
1897 4 2 27
1898 5 3 43
1899 ...
1900 50 48 4903
1902 :param node_count: total number of nodes in the replica graph
1903 """
1907 break
1911 return n
1916 # [MS-ADTS] 6.2.2.2
1917 # We're using the MS notation names here to allow
1918 # correlation back to the published algorithm.
1919 #
1920 # nc_x - naming context (x) that we are testing if it
1921 # "should be present" on the local DC
1922 # f_of_x - replica (f) found on a DC (s) for NC (x)
1923 # dc_s - DC where f_of_x replica was found
1924 # dc_local - local DC that potentially needs a replica
1925 # (f_of_x)
1926 # r_list - replica list R
1927 # p_of_x - replica (p) is partial and found on a DC (s)
1928 # for NC (x)
1929 # l_of_x - replica (l) is the local replica for NC (x)
1930 # that should appear on the local DC
1931 # r_len = is length of replica list |R|
1932 #
1933 # If the DSA doesn't need a replica for this
1934 # partition (NC x) then continue
1948 return
1950 # Create a NCReplica that matches what the local replica
1951 # should say. We'll use this below in our r_list
1960 # Add this replica that "should be present" to the
1961 # needed replica table for this DSA
1964 # Replica list
1965 #
1966 # Let R be a sequence containing each writable replica f of x
1967 # such that f "is present" on a DC s satisfying the following
1968 # criteria:
1969 #
1970 # * s is a writable DC other than the local DC.
1971 #
1972 # * s is in the same site as the local DC.
1973 #
1974 # * If x is a read-only full replica and x is a domain NC,
1975 # then the DC's functional level is at least
1976 # DS_BEHAVIOR_WIN2008.
1977 #
1978 # * Bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set
1979 # in the options attribute of the site settings object for
1980 # the local DC's site, or no tuple z exists in the
1981 # kCCFailedLinks or kCCFailedConnections variables such
1982 # that z.UUIDDsa is the objectGUID of the nTDSDSA object
1983 # for s, z.FailureCount > 0, and the current time -
1984 # z.TimeFirstFailure > 2 hours.
1986 r_list = []
1988 # We'll loop thru all the DSAs looking for
1989 # writeable NC replicas that match the naming
1990 # context dn for (nc_x)
1991 #
1994 # If this partition (nc_x) doesn't appear as a
1995 # replica (f_of_x) on (dc_s) then continue
1997 continue
1999 # Pull out the NCReplica (f) of (x) with the dn
2000 # that matches NC (x) we are examining.
2003 # Replica (f) of NC (x) must be writable
2005 continue
2007 # Replica (f) of NC (x) must satisfy the
2008 # "is present" criteria for DC (s) that
2009 # it was found on
2011 continue
2013 # DC (s) must be a writable DSA other than
2014 # my local DC. In other words we'd only replicate
2015 # from other writable DC
2017 continue
2019 # Certain replica graphs are produced only
2020 # for global catalogs, so test against
2021 # method input parameter
2023 continue
2025 # DC (s) must be in the same site as the local DC
2026 # as this is the intra-site algorithm. This is
2027 # handled by virtue of placing DSAs in per
2028 # site objects (see enclosing for() loop)
2030 # If NC (x) is intended to be read-only full replica
2031 # for a domain NC on the target DC then the source
2032 # DC should have functional level at minimum WIN2008
2033 #
2034 # Effectively we're saying that in order to replicate
2035 # to a targeted RODC (which was introduced in Windows 2008)
2036 # then we have to replicate from a DC that is also minimally
2037 # at that level.
2038 #
2039 # You can also see this requirement in the MS special
2040 # considerations for RODC which state that to deploy
2041 # an RODC, at least one writable domain controller in
2042 # the domain must be running Windows Server 2008
2045 continue
2047 # If we haven't been told to turn off stale connection
2048 # detection and this dsa has a stale connection then
2049 # continue
2051 continue
2053 # Replica meets criteria. Add it to table indexed
2054 # by the GUID of the DC that it appears on
2057 # If a partial (not full) replica of NC (x) "should be present"
2058 # on the local DC, append to R each partial replica (p of x)
2059 # such that p "is present" on a DC satisfying the same
2060 # criteria defined above for full replica DCs.
2061 #
2062 # XXX This loop and the previous one differ only in whether
2063 # the replica is partial or not. here we only accept partial
2064 # (because we're partial); before we only accepted full. Order
2065 # doen't matter (the list is sorted a few lines down) so these
2066 # loops could easily be merged. Or this could be a helper
2067 # function.
2071 # Now we loop thru all the DSAs looking for
2072 # partial NC replicas that match the naming
2073 # context dn for (NC x)
2076 # If this partition NC (x) doesn't appear as a
2077 # replica (p) of NC (x) on the dsa DC (s) then
2078 # continue
2080 continue
2082 # Pull out the NCReplica with the dn that
2083 # matches NC (x) we are examining.
2086 # Replica (p) of NC (x) must be partial
2088 continue
2090 # Replica (p) of NC (x) must satisfy the
2091 # "is present" criteria for DC (s) that
2092 # it was found on
2094 continue
2096 # DC (s) must be a writable DSA other than
2097 # my DSA. In other words we'd only replicate
2098 # from other writable DSA
2100 continue
2102 # Certain replica graphs are produced only
2103 # for global catalogs, so test against
2104 # method input parameter
2106 continue
2108 # DC (s) must be in the same site as the local DC
2109 # as this is the intra-site algorithm. This is
2110 # handled by virtue of placing DSAs in per
2111 # site objects (see enclosing for() loop)
2113 # This criteria is moot (a no-op) for this case
2114 # because we are scanning for (partial = True). The
2115 # MS algorithm statement says partial replica scans
2116 # should adhere to the "same" criteria as full replica
2117 # scans so the criteria doesn't change here...its just
2118 # rendered pointless.
2119 #
2120 # The case that is occurring would be a partial domain
2121 # replica is needed on a local DC global catalog. There
2122 # is no minimum windows behavior for those since GCs
2123 # have always been present.
2126 continue
2128 # If we haven't been told to turn off stale connection
2129 # detection and this dsa has a stale connection then
2130 # continue
2132 continue
2134 # Replica meets criteria. Add it to table indexed
2135 # by the GUID of the DSA that it appears on
2138 # Append to R the NC replica that "should be present"
2139 # on the local DC
2148 # Add a node for each r_list element to the replica graph
2149 graph_list = []
2154 # For each r(i) from (0 <= i < |R|-1)
2157 # Add an edge from r(i) to r(i+1) if r(i) is a full
2158 # replica or r(i+1) is a partial replica
2162 # Add an edge from r(i+1) to r(i) if r(i+1) is a full
2163 # replica or ri is a partial replica.
2168 # Add an edge from r|R|-1 to r0 if r|R|-1 is a full replica
2169 # or r0 is a partial replica.
2173 # Add an edge from r0 to r|R|-1 if r0 is a full replica or
2174 # r|R|-1 is a partial replica.
2179 dot_edges = []
2195 # For each existing nTDSConnection object implying an edge
2196 # from rj of R to ri such that j != i, an edge from rj to ri
2197 # is not already in the graph, and the total edges directed
2198 # to ri is less than n+2, the KCC adds that edge to the graph.
2208 # To optimize replication latency in sites with many NC replicas, the
2209 # KCC adds new edges directed to ri to bring the total edges to n+2,
2210 # where the NC replica rk of R from which the edge is directed
2211 # is chosen at random such that k != i and an edge from rk to ri
2212 # is not already in the graph.
2213 #
2214 # Note that the KCC tech ref does not give a number for the definition
2215 # of "sites with many NC replicas". At a bare minimum to satisfy
2216 # n+2 edges directed at a node we have to have at least three replicas
2217 # in |R| (i.e. if n is zero then at least replicas from two other graph
2218 # nodes may direct edges to us).
2239 # Print the graph node in debug mode
2242 # For each edge directed to the local DC, ensure a nTDSConnection
2243 # points to us that satisfies the KCC criteria
2250 dot_edges = []
2258 verify_properties = ('complete', 'connected', 'multi_edge_forest', 'forest', 'directed_double_ring')
2266 """The head method for generating the intra-site KCC replica
2267 connection graph and attendant nTDSConnection objects
2268 in the samdb
2269 """
2270 # Retrieve my DSA
2275 # Test whether local site has topology disabled
2278 return
2285 # Loop thru all the partitions, with gc_only False
2288 detect_stale)
2294 # If the DC is a GC server, the KCC constructs an additional NC
2295 # replica graph (and creates nTDSConnection objects) for the
2296 # config NC as above, except that only NC replicas that "are present"
2297 # on GC servers are added to R.
2302 # Do it again, with gc_only True
2306 detect_stale)
2308 # The DC repeats the NC replica graph computation and nTDSConnection
2309 # creation for each of the NC replica graphs, this time assuming
2310 # that no DC has failed. It does so by re-executing the steps as
2311 # if the bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED were
2312 # set in the options attribute of the site settings object for
2313 # the local DC's site. (ie. we set "detec_stale" flag to False)
2318 # Loop thru all the partitions.
2323 # If the DC is a GC server, the KCC constructs an additional NC
2324 # replica graph (and creates nTDSConnection objects) for the
2325 # config NC as above, except that only NC replicas that "are present"
2326 # on GC servers are added to R.
2337 # Display any to be added or modified repsFrom
2348 # Commit any newly created connections to the samdb
2353 """Method to perform a complete run of the KCC and
2354 produce an updated topology for subsequent NC replica
2355 syncronization between domain controllers
2356 """
2357 # We may already have a samdb setup if we are
2358 # currently importing an ldif for a test run
2374 # Setup
2385 dot_edges = []
2394 dot_edges = []
2400 #print dir(x)
2407 dot_edges = []
2417 dot_edges = []
2428 # These are the published steps (in order) for the
2429 # MS-TECH description of the KCC algorithm ([MS-ADTS] 6.2.2)
2431 # Step 1
2434 # Step 2
2437 # Step 3
2440 # Step 4
2443 # Step 5
2446 # Step 6
2449 # Step 7
2454 dot_edges = []
2459 verify_properties = ('complete', 'connected', 'multi_edge_forest', 'forest', 'directed_double_ring')
2465 raise
2470 """Routine to import all objects and attributes that are relevent
2471 to the KCC algorithms from a previously exported LDIF file.
2473 The point of this function is to allow a programmer/debugger to
2474 import an LDIF file with non-security relevent information that
2475 was previously extracted from a DC database. The LDIF file is used
2476 to create a temporary abbreviated database. The KCC algorithm can
2477 then run against this abbreviated database for debug or test
2478 verification that the topology generated is computationally the
2479 same between different OSes and algorithms.
2481 :param dburl: path to the temporary abbreviated db to create
2482 :param ldif_file: path to the ldif file to import
2483 """
2486 dburl)
2489 # Use ["modules:"] as we are attempting to build a sam
2490 # database as opposed to start it here.
2500 changetype: modify
2501 replace: dsServiceName
2503 -
2515 # We have an abbreviated list of options here because we have built
2516 # an abbreviated database. We use the rootdse and extended-dn
2517 # modules only during this re-open
2524 """Routine to extract all objects and attributes that are relevent
2525 to the KCC algorithms from a DC database.
2527 The point of this function is to allow a programmer/debugger to
2528 extract an LDIF file with non-security relevent information from
2529 a DC database. The LDIF file can then be used to "import" via
2530 the import_ldif() function this file into a temporary abbreviated
2531 database. The KCC algorithm can then run against this abbreviated
2532 database for debug or test verification that the topology generated
2533 is computationally the same between different OSes and algorithms.
2535 :param dburl: LDAP database URL to extract info from
2536 :param ldif_file: output LDIF file name to create
2537 """
2549 ldif_file)
2559 # Query Partitions
2577 # Write partitions output
2580 # Query cross reference container
2595 # Write cross reference container output
2598 # Query Sites
2610 # Write sites output
2613 # Query NTDS Site Settings
2630 # Write Site Settings output
2633 # Naming context list
2634 nclist = []
2636 # Query Directory Service Agents
2659 # Spin thru all the DSAs looking for NC replicas
2660 # and build a list of all possible Naming Contexts
2661 # for subsequent retrieval below
2666 # Some of these have binary DNs so
2667 # use dsdb_Dn to split out relevent parts
2673 # Write DSA output
2676 # Query NTDS Connections
2695 # Write NTDS Connection output
2699 # Query Intersite transports
2715 # Write inter-site transport output
2718 # Query siteLink
2737 # Write siteLink output
2740 # Query siteLinkBridge
2752 # Write siteLinkBridge output
2755 # Query servers containers
2756 # Needed for samdb.server_site_name()
2768 # Write servers container output
2771 # Query servers
2772 # Needed because some transport interfaces refer back to
2773 # attributes found in the server object. Also needed
2774 # so extended-dn will be happy with dsServiceName in rootDSE
2788 # Write server output
2791 # Query Naming Context replicas
2806 # Write naming context output
2809 # Query rootDSE replicas
2824 # Record the rootDSE object as a dn as it
2825 # would appear in the base ldb file. We have
2826 # to save it this way because we are going to
2827 # be importing as an abbreviated database.
2830 # Write rootdse output
2840 ##################################################
2841 # Global Functions
2842 ##################################################
2854 """Currently always returns false because Samba
2855 doesn't implement SMTP transfer for NC changes
2856 between DCs
2857 """
2858 return False
2878 return e
2887 return e_set
2890 # TODO not implemented - need to store all site link bridges
2892 # e_set.guid = site_link_bridge
2893 return e_set
2912 queue = []
2919 # add new path from vertex to v
2926 continue
2939 # What this function checks is that there is a valid time frame for
2940 # which replication can actually occur, despite being adequately
2941 # connected
2944 # If the new path costs more than the current, then ignore the edge
2946 return
2949 return
2954 # Cheaper or longer schedule
2963 return
2965 # Accepts neither red-red nor black edges, demote
2973 return
2992 # Find the set of all vertices touches the edge to examine
2993 vertices = []
2995 # Append a 4-tuple of color, repl cost, guid and vertex
2997 # Sort by color, lower
3001 # Add to internal edges an edge from every colored vertex to bestV
3004 continue
3006 # Only add edge if valid inter-tree edge - needs a root and
3007 # different components
3013 # Add internal edge, endpoints are roots of the vertices to pass in and are always colored
3025 return
3029 return
3034 # Create the transitive replInfo for the two trees and this edge
3036 return
3037 # ri is now initialized
3039 return
3042 # Order by vertex guid
3043 #XXX guid comparison using ndr_pack
3057 # Sorted based on internal comparison function of internal edge
3063 output_edges = []
3081 return vertex
3083 current = vertex
3087 root = current
3088 current = vertex
3092 current = n
3094 return root
3100 # This multi-edge is a 'real' edge with no GUID
3114 ##################################################
3115 # samba_kcc entry point
3116 ##################################################
3206 # initialize seed from optional input parameter
3219 break
3221 pass
3223 # else happens if break doesn't --> no match
3232 # Instantiate Knowledge Consistency Checker and perform run