| blob | 22590d0c6c57c2101e99683be679cfa93721f584 |
1 # define the KCC object
2 #
3 # Copyright (C) Dave Craft 2011
4 # Copyright (C) Andrew Bartlett 2015
5 #
6 # Andrew Bartlett's alleged work performed by his underlings Douglas
7 # Bagnall and Garming Sam.
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 import random
23 import uuid
25 import itertools
51 """Helper to sort DSAs by guid global catalog status
53 GC DSAs come before non-GC DSAs, other than that, the guids are
54 sorted in NDR form.
56 :param dsa1: A DSA object
57 :param dsa2: Another DSA
58 :return: -1, 0, or 1, indicating sort order.
59 """
68 """Can the KCC use SMTP replication?
70 Currently always returns false because Samba doesn't implement
71 SMTP transfer for NC changes between DCs.
73 :return: Boolean (always False)
74 """
75 return False
79 """The Knowledge Consistency Checker class.
81 A container for objects and methods allowing a run of the KCC. Produces a
82 set of connections in the samdb for which the Distributed Replication
83 Service can then utilize to replicate naming contexts
85 :param unix_now: The putative current time in seconds since 1970.
86 :param readonly: Don't write to the database.
87 :param verify: Check topological invariants for the generated graphs
88 :param debug: Write verbosely to stderr.
89 :param dot_file_dir: write diagnostic Graphviz files in this directory
90 """
93 """Initializes the partitions class which can hold
94 our local DCs partitions or all the partitions in
95 the forest
96 """
107 # TODO: These should be backed by a 'permanent' store so that when
108 # calling DRSGetReplInfo with DS_REPL_INFO_KCC_DSA_CONNECT_FAILURES,
109 # the failure information can be returned
113 # Used in inter-site topology computation. A list
114 # of connections (by NTDSConnection object) that are
115 # to be kept when pruning un-needed NTDS Connections
134 """Loads the inter-site transport objects for Sites
136 :return: None
137 :raise KCCError: if no IP transport is found
138 """
147 estr)
169 """Loads the inter-site siteLink objects
171 :return: None
172 :raise KCCError: if site-links aren't found
173 """
186 # already loaded
188 continue
194 # Assign this siteLink to table
195 # and index by dn
199 """Helper for load_my_site and load_all_sites.
201 Put all the site's DSAs into the KCC indices.
203 :param dn_str: a site dn_str
204 :return: the Site object pertaining to the dn_str
205 """
209 # We avoid replacing the site with an identical copy in case
210 # somewhere else has a reference to the old one, which would
211 # lead to all manner of confusion and chaos.
222 """Load the Site object for the local DSA.
224 :return: None
225 """
233 """Discover all sites and create Site objects.
235 :return: None
236 :raise: KCCError if sites can't be found
237 """
252 """Discover my nTDSDSA dn thru the rootDSE entry
254 :return: None
255 :raise: KCCError if DSA can't be found
256 """
265 "This typically happens in --importldif mode due "
268 # We work around the failure above by looking at the
269 # dsServiceName that was put in the fake rootdse by
270 # the --exportldif, rather than the
271 # samdb.get_ntds_GUID(). The disadvantage is that this
272 # mode requires we modify the @ROOTDSE dnq to support
273 # --forced-local-dsa
302 "Let's add it, because my_dsa is special!"
310 """Discover and load all partitions.
312 Each NC is inserted into the part_table by partition
313 dn string (not the nCName dn string)
315 :return: None
316 :raise: KCCError if partitions can't be found
317 """
330 # already loaded
332 continue
340 """Ensure the failed links list is up to date
342 Based on MS-ADTS 6.2.2.1
344 :param ping: An oracle function of remote site availability
345 :return: None
346 """
347 # LINKS: Refresh failed links
351 # For every possible connection to replicate
355 continue
366 dns_name)
371 time_first_failure)
374 # CONNECTIONS: Refresh failed connections
380 # Failed connection is no longer failing
388 # Remove the restored connections from the failed connections
392 """Check whether a link to a remote DSA is stale
394 Used in MS-ADTS 6.2.2.2 Intrasite Connection Creation
396 Returns True if the remote seems to have been down for at
397 least two hours, otherwise False.
399 :param target_dsa: the remote DSA object
400 :return: True if link is stale, otherwise False
401 """
404 # failure_count should be > 0, but check anyways
406 unix_first_failure = \
408 # TODO guard against future
413 # Perform calculation in seconds
415 return True
417 # TODO connections.
418 # We have checked failed *links*, but we also need to check
419 # *connections*
421 return False
423 # TODO: This should be backed by some form of local database
425 # Remove all tuples in kcc_failed_links where failure count = 0
426 # In this implementation, this should never happen.
428 # Remove all connections which were not used this run or connections
429 # that became active during this run.
430 pass
433 """Load or fake-load NTDSConnections lacking GUIDs
435 New connections don't have GUIDs and created times which are
436 needed for sorting. If we're in read-only mode, we make fake
437 GUIDs, otherwise we ask SamDB to do it for us.
439 :param connections: an iterable of NTDSConnection objects.
440 :return: None
441 """
451 """Find NTDS Connections that lack a remote
453 I'm not sure how they appear. Let's be rid of them by marking
454 them with the to_be_deleted attribute.
456 :return: None
457 """
462 cn_conn))
466 """Find unneeded intrasite NTDS Connections for removal
468 Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections.
469 Every DC removes its own unnecessary intrasite connections.
470 This function tags them with the to_be_deleted attribute.
472 :return: None
473 """
474 # XXX should an RODC be regarded as same site? It isn't part
475 # of the intrasite ring.
480 return
487 # RODC never actually added any connections to begin with
489 return
491 local_connections = []
502 # Avoid "ValueError: r cannot be bigger than the iterable" in
503 # for a, b in itertools.permutations(local_connections, 2):
505 return
518 """find unneeded intersite NTDS Connections for removal
520 Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections. The
521 intersite topology generator removes links for all DCs in its
522 site. Here we just tag them with the to_be_deleted attribute.
524 :return: None
525 """
526 # TODO Figure out how best to handle the RODC case
527 # The RODC is ISTG, but shouldn't act on anyone's behalf.
529 return
531 # Find the intersite connections
533 connections_and_dsas = []
537 continue
540 continue
543 # Samba ONLY: ISTG removes connections to dead DCs
548 continue
554 continue
556 # If the connection is in the kept_connections list, we
557 # only remove it if an endpoint seems down.
561 continue
563 # this one is broken and might be superseded by another.
564 # But which other? Let's just say another link to the same
565 # site can supersede.
584 # Perform deletion from our tables but perform
585 # no database modification
588 # Commit any modified connections
592 """Remove unneeded NTDS Connections once topology is calculated
594 Based on MS-ADTS 6.2.2.4 Removing Unnecessary Connections
596 :param all_connected: indicates whether all sites are connected
597 :return: None
598 """
601 # if we are not the istg, we're done!
602 # if we are the istg, but all_connected is False, we also do nothing.
610 """Update an repsFrom object if required.
612 Part of MS-ADTS 6.2.2.5.
614 Update t_repsFrom if necessary to satisfy requirements. Such
615 updates are typically required when the IDL_DRSGetNCChanges
616 server has moved from one site to another--for example, to
617 enable compression when the server is moved from the
618 client's site to another site.
620 The repsFrom.update_flags bit field may be modified
621 auto-magically if any changes are made here. See
622 kcc_utils.RepsFromTo for gory details.
625 :param n_rep: NC replica we need
626 :param t_repsFrom: repsFrom tuple to modify
627 :param s_rep: NC replica at source DSA
628 :param s_dsa: source DSA
629 :param cn_conn: Local DSA NTDSConnection child
631 :return: None
632 """
636 # if schedule doesn't match then update and modify
641 # Bit DRS_ADD_REF is set in replicaFlags unconditionally
642 # Samba ONLY:
647 # Bit DRS_PER_SYNC is set in replicaFlags if and only
648 # if nTDSConnection schedule has a value v that specifies
649 # scheduled replication is to be performed at least once
650 # per week.
657 # Bit DRS_INIT_SYNC is set in t.replicaFlags if and only
658 # if the source DSA and the local DC's nTDSDSA object are
659 # in the same site or source dsa is the FSMO role owner
660 # of one or more FSMO roles in the NC replica.
667 # If bit NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT is set in
668 # cn!options, bit DRS_NEVER_NOTIFY is set in t.replicaFlags
669 # if and only if bit NTDSCONN_OPT_USE_NOTIFY is clear in
670 # cn!options. Otherwise, bit DRS_NEVER_NOTIFY is set in
671 # t.replicaFlags if and only if s and the local DC's
672 # nTDSDSA object are in different sites.
677 # WARNING
678 #
679 # it LOOKS as if this next test is a bit silly: it
680 # checks the flag then sets it if it not set; the same
681 # effect could be achieved by unconditionally setting
682 # it. But in fact the repsFrom object has special
683 # magic attached to it, and altering replica_flags has
684 # side-effects. That is bad in my opinion, but there
685 # you go.
689 drsuapi.DRSUAPI_DRS_NEVER_NOTIFY
697 # Bit DRS_USE_COMPRESSION is set in t.replicaFlags if
698 # and only if s and the local DC's nTDSDSA object are
699 # not in the same site and the
700 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION bit is
701 # clear in cn!options
710 # Bit DRS_TWOWAY_SYNC is set in t.replicaFlags if and only
711 # if bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options.
718 # Bits DRS_DISABLE_AUTO_SYNC and DRS_DISABLE_PERIODIC_SYNC are
719 # set in t.replicaFlags if and only if cn!enabledConnection = false.
725 drsuapi.DRSUAPI_DRS_DISABLE_AUTO_SYNC
730 drsuapi.DRSUAPI_DRS_DISABLE_PERIODIC_SYNC
732 # If s and the local DC's nTDSDSA object are in the same site,
733 # cn!transportType has no value, or the RDN of cn!transportType
734 # is CN=IP:
735 #
736 # Bit DRS_MAIL_REP in t.replicaFlags is clear.
737 #
738 # t.uuidTransport = NULL GUID.
739 #
740 # t.uuidDsa = The GUID-based DNS name of s.
741 #
742 # Otherwise:
743 #
744 # Bit DRS_MAIL_REP in t.replicaFlags is set.
745 #
746 # If x is the object with dsname cn!transportType,
747 # t.uuidTransport = x!objectGUID.
748 #
749 # Let a be the attribute identified by
750 # x!transportAddressAttribute. If a is
751 # the dNSHostName attribute, t.uuidDsa = the GUID-based
752 # DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
753 #
754 # It appears that the first statement i.e.
755 #
756 # "If s and the local DC's nTDSDSA object are in the same
757 # site, cn!transportType has no value, or the RDN of
758 # cn!transportType is CN=IP:"
759 #
760 # could be a slightly tighter statement if it had an "or"
761 # between each condition. I believe this should
762 # be interpreted as:
763 #
764 # IF (same-site) OR (no-value) OR (type-ip)
765 #
766 # because IP should be the primary transport mechanism
767 # (even in inter-site) and the absence of the transportType
768 # attribute should always imply IP no matter if its multi-site
769 #
770 # NOTE MS-TECH INCORRECT:
771 #
772 # All indications point to these statements above being
773 # incorrectly stated:
774 #
775 # t.uuidDsa = The GUID-based DNS name of s.
776 #
777 # Let a be the attribute identified by
778 # x!transportAddressAttribute. If a is
779 # the dNSHostName attribute, t.uuidDsa = the GUID-based
780 # DNS name of s. Otherwise, t.uuidDsa = (s!parent)!a.
781 #
782 # because the uuidDSA is a GUID and not a GUID-base DNS
783 # name. Nor can uuidDsa hold (s!parent)!a if not
784 # dNSHostName. What should have been said is:
785 #
786 # t.naDsa = The GUID-based DNS name of s
787 #
788 # That would also be correct if transportAddressAttribute
789 # were "mailAddress" because (naDsa) can also correctly
790 # hold the SMTP ISM service address.
791 #
800 # See (NOTE MS-TECH INCORRECT) above
802 # NOTE: it looks like these conditionals are pointless,
803 # because the state will end up as `t_repsFrom.dns_name1 ==
804 # nastr` in either case, BUT the repsFrom thing is magic and
805 # assigning to it alters some flags. So we try not to update
806 # it unless necessary.
817 """If a connection imply a replica, find the relevant DSA
819 Given a NC replica and NTDS Connection, determine if the
820 connection implies a repsFrom tuple should be present from the
821 source DSA listed in the connection to the naming context. If
822 it should be, return the DSA; otherwise return None.
824 Based on part of MS-ADTS 6.2.2.5
826 :param n_rep: NC replica
827 :param cn_conn: NTDS Connection
828 :return: source DSA or None
829 """
830 # XXX different conditions for "implies" than MS-ADTS 6.2.2
831 # preamble.
833 # It boils down to: we want an enabled, non-FRS connections to
834 # a valid remote DSA with a non-RO replica corresponding to
835 # n_rep.
838 return None
843 # No DSA matching this source DN string?
845 return None
852 return s_dsa
853 return None
856 """Adjust repsFrom to match NTDSConnections
858 This function adjusts values of repsFrom abstract attributes of NC
859 replicas on the local DC to match those implied by
860 nTDSConnection objects.
862 Based on [MS-ADTS] 6.2.2.5
864 :param current_dsa: optional DSA on whose behalf we are acting.
865 :return: None
866 """
877 return
883 # Filled in with replicas we currently have that need deleting
886 # We're using the MS notation names here to allow
887 # correlation back to the published algorithm.
888 #
889 # n_rep - NC replica (n)
890 # t_repsFrom - tuple (t) in n!repsFrom
891 # s_dsa - Source DSA of the replica. Defined as nTDSDSA
892 # object (s) such that (s!objectGUID = t.uuidDsa)
893 # In our IDL representation of repsFrom the (uuidDsa)
894 # attribute is called (source_dsa_obj_guid)
895 # cn_conn - (cn) is nTDSConnection object and child of the local
896 # DC's nTDSDSA object and (cn!fromServer = s)
897 # s_rep - source DSA replica of n
898 #
899 # If we have the replica and its not needed
900 # then we add it to the "to be deleted" list.
902 # If we're on the RODC, hardcode the update flags
908 drsuapi.DRSUAPI_DRS_PER_SYNC |
909 drsuapi.DRSUAPI_DRS_ADD_REF |
910 drsuapi.DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING |
923 # TODO Must delete repsFrom/repsTo for these replicas
928 # HANDLE REPS-FROM
929 #
930 # Now perform the scan of replicas we'll need
931 # and compare any current repsFrom against the
932 # connections
935 # load any repsFrom and fsmo roles as we'll
936 # need them during connection translation
940 # Loop thru the existing repsFrom tuples (if any)
941 # XXX This is a list and could contain duplicates
942 # (multiple load_repsFrom calls)
945 # for each tuple t in n!repsFrom, let s be the nTDSDSA
946 # object such that s!objectGUID = t.uuidDsa
950 # Source dsa is gone from config (strange)
951 # so cleanup stale repsFrom for unlisted DSA
954 guidstr)
956 continue
958 # Find the connection that this repsFrom would use. If
959 # there isn't a good one (i.e. non-RODC_TOPOLOGY,
960 # meaning non-FRS), we delete the repsFrom.
965 break
967 # no break means no non-rodc_topology connection exists
969 continue
971 # KCC removes this repsFrom tuple if any of the following
972 # is true:
973 # No NC replica of the NC "is present" on DSA that
974 # would be source of replica
975 #
976 # A writable replica of the NC "should be present" on
977 # the local DC, but a partial replica "is present" on
978 # the source DSA
985 continue
987 # If the KCC did not remove t from n!repsFrom, it updates t
990 # Loop thru connections and add implied repsFrom tuples
991 # for each NTDSConnection under our local DSA if the
992 # repsFrom is not already present
997 continue
999 # Loop thru the existing repsFrom tuples (if any) and
1000 # if we already have a tuple for this connection then
1001 # no need to proceed to add. It will have been changed
1002 # to have the correct attributes above
1007 break
1010 continue
1012 # Create a new RepsFromTo and proceed to modify
1013 # it according to specification
1022 # Add to our NC repsFrom as this is newly computed
1027 # Display any to be deleted or modified repsFrom
1035 # Perform deletion from our tables but perform
1036 # no database modification
1039 # Commit any modified repsFrom to the NC replica
1042 # HANDLE REPS-TO:
1043 #
1044 # Now perform the scan of replicas we'll need
1045 # and compare any current repsTo against the
1046 # connections
1048 # RODC should never push to anybody (should we check this?)
1050 return
1054 # load any repsTo and fsmo roles as we'll
1055 # need them during connection translation
1058 # Loop thru the existing repsTo tuples (if any)
1059 # XXX This is a list and could contain duplicates
1060 # (multiple load_repsTo calls)
1063 # for each tuple t in n!repsTo, let s be the nTDSDSA
1064 # object such that s!objectGUID = t.uuidDsa
1068 # Source dsa is gone from config (strange)
1069 # so cleanup stale repsTo for unlisted DSA
1072 guidstr)
1074 continue
1076 # Find the connection that this repsTo would use. If
1077 # there isn't a good one (i.e. non-RODC_TOPOLOGY,
1078 # meaning non-FRS), we delete the repsTo.
1082 guidstr)
1084 continue
1088 # Then this repsTo is tentatively valid
1089 continue
1091 # There is no plausible connection for this repsTo
1095 # Display any to be deleted or modified repsTo
1100 # Perform deletion from our tables but perform
1101 # no database modification
1104 # Commit any modified repsTo to the NC replica
1107 # TODO Remove any duplicate repsTo values. This should never happen in
1108 # any normal situations.
1111 """Merge of kCCFailedLinks and kCCFailedLinks from bridgeheads.
1113 The KCC on a writable DC attempts to merge the link and connection
1114 failure information from bridgehead DCs in its own site to help it
1115 identify failed bridgehead DCs.
1117 Based on MS-ADTS 6.2.2.3.2 "Merge of kCCFailedLinks and kCCFailedLinks
1118 from Bridgeheads"
1120 :param ping: An oracle of current bridgehead availability
1121 :return: None
1122 """
1123 # 1. Queries every bridgehead server in your site (other than yourself)
1124 # 2. For every ntDSConnection that references a server in a different
1125 # site merge all the failure info
1126 #
1127 # XXX - not implemented yet
1136 """Set up an intersite graph
1138 An intersite graph has a Vertex for each site object, a
1139 MultiEdge for each SiteLink object, and a MutliEdgeSet for
1140 each siteLinkBridge object (or implied siteLinkBridge). It
1141 reflects the intersite topology in a slightly more abstract
1142 graph form.
1144 Roughly corresponds to MS-ADTS 6.2.2.3.4.3
1146 :param part: a Partition object
1147 :returns: an InterSiteGraph object
1148 """
1149 # If 'Bridge all site links' is enabled and Win2k3 bridges required
1150 # is not set
1151 # NTDSTRANSPORT_OPT_BRIDGES_REQUIRED 0x00000002
1152 # No documentation for this however, ntdsapi.h appears to have:
1153 # NTDSSETTINGS_OPT_W2K3_BRIDGES_REQUIRED = 0x00001000
1161 dot_edges = []
1165 verify_properties = ()
1173 return g
1176 """Get a bridghead DC for a site.
1178 Part of MS-ADTS 6.2.2.3.4.4
1180 :param site: site object representing for which a bridgehead
1181 DC is desired.
1182 :param part: crossRef for NC to replicate.
1183 :param transport: interSiteTransport object for replication
1184 traffic.
1185 :param partial_ok: True if a DC containing a partial
1186 replica or a full replica will suffice, False if only
1187 a full replica will suffice.
1188 :param detect_failed: True to detect failed DCs and route
1189 replication traffic around them, False to assume no DC
1190 has failed.
1191 :return: dsa object for the bridgehead DC or None
1192 """
1199 return None
1207 """Get all bridghead DCs on a site satisfying the given criteria
1209 Part of MS-ADTS 6.2.2.3.4.4
1211 :param site: site object representing the site for which
1212 bridgehead DCs are desired.
1213 :param part: partition for NC to replicate.
1214 :param transport: interSiteTransport object for
1215 replication traffic.
1216 :param partial_ok: True if a DC containing a partial
1217 replica or a full replica will suffice, False if
1218 only a full replica will suffice.
1219 :param detect_failed: True to detect failed DCs and route
1220 replication traffic around them, FALSE to assume
1221 no DC has failed.
1222 :return: list of dsa object for available bridgehead DCs
1223 """
1224 bhs = []
1236 # IF t!bridgeheadServerListBL has one or more values and
1237 # t!bridgeheadServerListBL does not contain a reference
1238 # to the parent object of dc then skip dc
1241 continue
1243 # IF dc is in the same site as the local DC
1244 # IF a replica of cr!nCName is not in the set of NC replicas
1245 # that "should be present" on dc or a partial replica of the
1246 # NC "should be present" but partialReplicasOkay = FALSE
1247 # Skip dc
1251 continue
1254 # ELSE
1255 # IF an NC replica of cr!nCName is not in the set of NC
1256 # replicas that "are present" on dc or a partial replica of
1257 # the NC "is present" but partialReplicasOkay = FALSE
1258 # Skip dc
1262 continue
1264 # IF AmIRODC() and cr!nCName corresponds to default NC then
1265 # Let dsaobj be the nTDSDSA object of the dc
1266 # IF dsaobj.msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
1267 # Skip dc
1270 continue
1272 # IF BridgeheadDCFailed(dc!objectGUID, detectFailedDCs) = TRUE
1273 # Skip dc
1276 continue
1281 # IF bit NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED is set in
1282 # s!options
1283 # SORT bhs such that all GC servers precede DCs that are not GC
1284 # servers, and otherwise by ascending objectGUID
1285 # ELSE
1286 # SORT bhs in a random order
1292 return bhs
1295 """Determine whether a given DC is known to be in a failed state
1297 :param dsa: the bridgehead to test
1298 :param detect_failed: True to really check, False to assume no failure
1299 :return: True if and only if the DC should be considered failed
1301 Here we DEPART from the pseudo code spec which appears to be
1302 wrong. It says, in full:
1304 /***** BridgeheadDCFailed *****/
1305 /* Determine whether a given DC is known to be in a failed state.
1306 * IN: objectGUID - objectGUID of the DC's nTDSDSA object.
1307 * IN: detectFailedDCs - TRUE if and only failed DC detection is
1308 * enabled.
1309 * RETURNS: TRUE if and only if the DC should be considered to be in a
1310 * failed state.
1311 */
1312 BridgeheadDCFailed(IN GUID objectGUID, IN bool detectFailedDCs) : bool
1313 {
1314 IF bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set in
1315 the options attribute of the site settings object for the local
1316 DC's site
1317 RETURN FALSE
1318 ELSEIF a tuple z exists in the kCCFailedLinks or
1319 kCCFailedConnections variables such that z.UUIDDsa =
1320 objectGUID, z.FailureCount > 1, and the current time -
1321 z.TimeFirstFailure > 2 hours
1322 RETURN TRUE
1323 ELSE
1324 RETURN detectFailedDCs
1325 ENDIF
1326 }
1328 where you will see detectFailedDCs is not behaving as
1329 advertised -- it is acting as a default return code in the
1330 event that a failure is not detected, not a switch turning
1331 detection on or off. Elsewhere the documentation seems to
1332 concur with the comment rather than the code.
1333 """
1335 return False
1337 # NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED = 0x00000008
1338 # When DETECT_STALE_DISABLED, we can never know of if
1339 # it's in a failed state
1341 return False
1348 """Create an nTDSConnection object as specified if it doesn't exist.
1350 Part of MS-ADTS 6.2.2.3.4.5
1352 :param part: crossRef object for the NC to replicate.
1353 :param rbh: nTDSDSA object for DC to act as the
1354 IDL_DRSGetNCChanges server (which is in a site other
1355 than the local DC's site).
1356 :param rsite: site of the rbh
1357 :param transport: interSiteTransport object for the transport
1358 to use for replication traffic.
1359 :param lbh: nTDSDSA object for DC to act as the
1360 IDL_DRSGetNCChanges client (which is in the local DC's site).
1361 :param lsite: site of the lbh
1362 :param link_opt: Replication parameters (aggregated siteLink options,
1363 etc.)
1364 :param link_sched: Schedule specifying the times at which
1365 to begin replicating.
1366 :partial_ok: True if bridgehead DCs containing partial
1367 replicas of the NC are acceptable.
1368 :param detect_failed: True to detect failed DCs and route
1369 replication traffic around them, FALSE to assume no DC
1370 has failed.
1371 """
1379 # MS-TECH says to compute rbhs_avail but then doesn't use it
1380 # rbhs_avail = self.get_all_bridgeheads(rsite, part, transport,
1381 # partial_ok, detect_failed)
1391 # MS-TECH says to compute lbhs_avail but then doesn't use it
1392 # lbhs_avail = self.get_all_bridgeheads(lsite, part, transport,
1393 # partial_ok, detect_failed)
1395 # FOR each nTDSConnection object cn such that the parent of cn is
1396 # a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
1402 continue
1405 # IF bit NTDSCONN_OPT_IS_GENERATED is set in cn!options and
1406 # NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options and
1407 # cn!transportType references t
1412 # IF bit NTDSCONN_OPT_USER_OWNED_SCHEDULE is clear in
1413 # cn!options and cn!schedule != sch
1414 # Perform an originating update to set cn!schedule to
1415 # sched
1421 # IF bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1422 # NTDSCONN_OPT_USE_NOTIFY are set in cn
1426 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is clear in
1427 # ri.Options
1428 # Perform an originating update to clear bits
1429 # NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1430 # NTDSCONN_OPT_USE_NOTIFY in cn!options
1437 # ELSE
1440 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in
1441 # ri.Options
1442 # Perform an originating update to set bits
1443 # NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1444 # NTDSCONN_OPT_USE_NOTIFY in cn!options
1451 # IF bit NTDSCONN_OPT_TWOWAY_SYNC is set in cn!options
1454 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is clear in
1455 # ri.Options
1456 # Perform an originating update to clear bit
1457 # NTDSCONN_OPT_TWOWAY_SYNC in cn!options
1462 # ELSE
1465 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in
1466 # ri.Options
1467 # Perform an originating update to set bit
1468 # NTDSCONN_OPT_TWOWAY_SYNC in cn!options
1473 # IF bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION is set
1474 # in cn!options
1477 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is clear
1478 # in ri.Options
1479 # Perform an originating update to clear bit
1480 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
1481 # cn!options
1485 ~dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
1488 # ELSE
1490 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
1491 # ri.Options
1492 # Perform an originating update to set bit
1493 # NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in
1494 # cn!options
1498 dsdb.NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION
1501 # Display any modified connection
1509 # ENDFOR
1513 # FOR each nTDSConnection object cn such that cn!parent is
1514 # a DC in lbhsAll and cn!fromServer references a DC in rbhsAll
1520 continue
1524 # IF (bit NTDSCONN_OPT_IS_GENERATED is clear in cn!options or
1525 # cn!transportType references t) and
1526 # NTDSCONN_OPT_RODC_TOPOLOGY is clear in cn!options
1531 # LET rguid be the objectGUID of the nTDSDSA object
1532 # referenced by cn!fromServer
1533 # LET lguid be (cn!parent)!objectGUID
1535 # IF BridgeheadDCFailed(rguid, detectFailedDCs) = FALSE and
1536 # BridgeheadDCFailed(lguid, detectFailedDCs) = FALSE
1537 # Increment cValidConnections by 1
1542 # IF keepConnections does not contain cn!objectGUID
1543 # APPEND cn!objectGUID to keepConnections
1546 # ENDFOR
1549 # IF cValidConnections = 0
1552 # LET opt be NTDSCONN_OPT_IS_GENERATED
1555 # IF bit NTDSSITELINK_OPT_USE_NOTIFY is set in ri.Options
1556 # SET bits NTDSCONN_OPT_OVERRIDE_NOTIFY_DEFAULT and
1557 # NTDSCONN_OPT_USE_NOTIFY in opt
1562 # IF bit NTDSSITELINK_OPT_TWOWAY_SYNC is set in ri.Options
1563 # SET bit NTDSCONN_OPT_TWOWAY_SYNC opt
1567 # IF bit NTDSSITELINK_OPT_DISABLE_COMPRESSION is set in
1568 # ri.Options
1569 # SET bit NTDSCONN_OPT_DISABLE_INTERSITE_COMPRESSION in opt
1574 # Perform an originating update to create a new nTDSConnection
1575 # object cn that is a child of lbh, cn!enabledConnection = TRUE,
1576 # cn!options = opt, cn!transportType is a reference to t,
1577 # cn!fromServer is a reference to rbh, and cn!schedule = sch
1585 # Display any added connection
1594 # APPEND cn!objectGUID to keepConnections
1598 """Build a Vertex's transport lists
1600 Each vertex has accept_red_red and accept_black lists that
1601 list what transports they accept under various conditions. The
1602 only transport that is ever accepted is IP, and a dummy extra
1603 transport called "EDGE_TYPE_ALL".
1605 Part of MS-ADTS 6.2.2.3.4.3 -- ColorVertices
1607 :param vertex: the remote vertex we are thinking about
1608 :param local_vertex: the vertex relating to the local site.
1609 :param graph: the intersite graph
1610 :param detect_failed: whether to detect failed links
1611 :return: True if some bridgeheads were not found
1612 """
1613 # The docs ([MS-ADTS] 6.2.2.3.4.3) say to use local_vertex
1614 # here, but using vertex seems to make more sense. That is,
1615 # the docs want this:
1616 #
1617 # bh = self.get_bridgehead(local_vertex.site, vertex.part, transport,
1618 # local_vertex.is_black(), detect_failed)
1619 #
1620 # TODO WHY?????
1641 # Add additional transport to ensure another run of Dijkstra
1645 return found_failed
1648 """Create intersite NTDSConnections as needed by a partition
1650 Construct an NC replica graph for the NC identified by
1651 the given crossRef, then create any additional nTDSConnection
1652 objects required.
1654 :param graph: site graph.
1655 :param part: crossRef object for NC.
1656 :param detect_failed: True to detect failed DCs and route
1657 replication traffic around them, False to assume no DC
1658 has failed.
1660 Modifies self.kept_connections by adding any connections
1661 deemed to be "in use".
1663 :return: (all_connected, found_failed_dc)
1664 (all_connected) True if the resulting NC replica graph
1665 connects all sites that need to be connected.
1666 (found_failed_dc) True if one or more failed DCs were
1667 detected.
1668 """
1676 # XXX - This is a highly abbreviated function from the MS-TECH
1677 # ref. It creates connections between bridgeheads to all
1678 # sites that have appropriate replicas. Thus we are not
1679 # creating a minimum cost spanning tree but instead
1680 # producing a fully connected tree. This should produce
1681 # a full (albeit not optimal cost) replication topology.
1691 # No NC replicas for this NC in the site of the local DC,
1692 # so no nTDSConnection objects need be created
1705 # LET partialReplicaOkay be TRUE if and only if
1706 # localSiteVertex.Color = COLOR.BLACK
1709 # Utilize the IP transport only for now
1714 # XXX more accurate comparison?
1716 continue
1723 # We don't make connections to our own site as that
1724 # is intrasite topology generator's job
1727 continue
1729 # Determine bridgehead server in remote site
1733 continue
1735 # RODC acts as an BH for itself
1736 # IF AmIRODC() then
1737 # LET lbh be the nTDSDSA object of the local DC
1738 # ELSE
1739 # LET lbh be the result of GetBridgeheadDC(localSiteVertex.ID,
1740 # cr, t, partialReplicaOkay, detectFailedDCs)
1748 # TODO
1772 """Create NTDSConnections as necessary for all partitions.
1774 Computes an NC replica graph for each NC replica that "should be
1775 present" on the local DC or "is present" on any DC in the same site
1776 as the local DC. For each edge directed to an NC replica on such a
1777 DC from an NC replica on a DC in another site, the KCC creates an
1778 nTDSConnection object to imply that edge if one does not already
1779 exist.
1781 Modifies self.kept_connections - A set of nTDSConnection
1782 objects for edges that are directed
1783 to the local DC's site in one or more NC replica graphs.
1785 :return: True if spanning trees were created for all NC replica
1786 graphs, otherwise False.
1787 """
1791 # LET crossRefList be the set containing each object o of class
1792 # crossRef such that o is a child of the CN=Partitions child of the
1793 # config NC
1795 # FOR each crossRef object cr in crossRefList
1796 # IF cr!enabled has a value and is false, or if FLAG_CR_NTDS_NC
1797 # is clear in cr!systemFlags, skip cr.
1798 # LET g be the GRAPH return of SetupGraph()
1803 continue
1806 continue
1810 # Create nTDSConnection objects, routing replication traffic
1811 # around "failed" DCs.
1823 # One or more failed DCs preclude use of the ideal NC
1824 # replica graph. Add connections for the ideal graph.
1827 return all_connected
1830 """Generate the inter-site KCC replica graph and nTDSConnections
1832 As per MS-ADTS 6.2.2.3.
1834 If self.readonly is False, the connections are added to self.samdb.
1836 Produces self.kept_connections which is a set of NTDS
1837 Connections that should be kept during subsequent pruning
1838 process.
1840 After this has run, all sites should be connected in a minimum
1841 spanning tree.
1843 :param ping: An oracle function of remote site availability
1844 :return (True or False): (True) if the produced NC replica
1845 graph connects all sites that need to be connected
1846 """
1848 # Retrieve my DSA
1855 # Determine who is the ISTG
1861 # Test whether local site has topology disabled
1864 all_connected)
1865 return all_connected
1869 all_connected)
1870 return all_connected
1874 # For each NC with an NC replica that "should be present" on the
1875 # local DC or "is present" on any DC in the same site as the
1876 # local DC, the KCC constructs a site graph--a precursor to an NC
1877 # replica graph. The site connectivity for a site graph is defined
1878 # by objects of class interSiteTransport, siteLink, and
1879 # siteLinkBridge in the config NC.
1884 return all_connected
1886 # This function currently does no actions. The reason being that we cannot
1887 # perform modifies in this way on the RODC.
1889 """Updates the RODC NTFRS connection object.
1891 If the local DSA is not an RODC, this does nothing.
1892 """
1894 return
1896 # Given an nTDSConnection object cn1, such that cn1.options contains
1897 # NTDSCONN_OPT_RODC_TOPOLOGY, and another nTDSConnection object cn2,
1898 # does not contain NTDSCONN_OPT_RODC_TOPOLOGY, modify cn1 to ensure
1899 # that the following is true:
1900 #
1901 # cn1.fromServer = cn2.fromServer
1902 # cn1.schedule = cn2.schedule
1903 #
1904 # If no such cn2 can be found, cn1 is not modified.
1905 # If no such cn1 can be found, nothing is modified by this task.
1912 # XXX here we are dealing with multiple RODC_TOPO connections,
1913 # if they exist. It is not clear whether the spec means that
1914 # or if it ever arises.
1925 """Find the maximum number of edges directed to an intrasite node
1927 The KCC does not create more than 50 edges directed to a
1928 single DC. To optimize replication, we compute that each node
1929 should have n+2 total edges directed to it such that (n) is
1930 the smallest non-negative integer satisfying
1931 (node_count <= 2*(n*n) + 6*n + 7)
1933 (If the number of edges is m (i.e. n + 2), that is the same as
1934 2 * m*m - 2 * m + 3). We think in terms of n because that is
1935 the number of extra connections over the double directed ring
1936 that exists by default.
1938 edges n nodecount
1939 2 0 7
1940 3 1 15
1941 4 2 27
1942 5 3 43
1943 ...
1944 50 48 4903
1946 :param node_count: total number of nodes in the replica graph
1948 The intention is that there should be no more than 3 hops
1949 between any two DSAs at a site. With up to 7 nodes the 2 edges
1950 of the ring are enough; any configuration of extra edges with
1951 8 nodes will be enough. It is less clear that the 3 hop
1952 guarantee holds at e.g. 15 nodes in degenerate cases, but
1953 those are quite unlikely given the extra edges are randomly
1954 arranged.
1956 :param node_count: the number of nodes in the site
1957 "return: The desired maximum number of connections
1958 """
1962 break
1966 return n
1971 """Create an intrasite graph using given parameters
1973 This might be called a number of times per site with different
1974 parameters.
1976 Based on [MS-ADTS] 6.2.2.2
1978 :param site_local: site for which we are working
1979 :param dc_local: local DC that potentially needs a replica
1980 :param nc_x: naming context (x) that we are testing if it
1981 "should be present" on the local DC
1982 :param gc_only: Boolean - only consider global catalog servers
1983 :param detect_stale: Boolean - check whether links seems down
1984 :return: None
1985 """
1986 # We're using the MS notation names here to allow
1987 # correlation back to the published algorithm.
1988 #
1989 # nc_x - naming context (x) that we are testing if it
1990 # "should be present" on the local DC
1991 # f_of_x - replica (f) found on a DC (s) for NC (x)
1992 # dc_s - DC where f_of_x replica was found
1993 # dc_local - local DC that potentially needs a replica
1994 # (f_of_x)
1995 # r_list - replica list R
1996 # p_of_x - replica (p) is partial and found on a DC (s)
1997 # for NC (x)
1998 # l_of_x - replica (l) is the local replica for NC (x)
1999 # that should appear on the local DC
2000 # r_len = is length of replica list |R|
2001 #
2002 # If the DSA doesn't need a replica for this
2003 # partition (NC x) then continue
2018 return
2020 # Create a NCReplica that matches what the local replica
2021 # should say. We'll use this below in our r_list
2029 # Add this replica that "should be present" to the
2030 # needed replica table for this DSA
2033 # Replica list
2034 #
2035 # Let R be a sequence containing each writable replica f of x
2036 # such that f "is present" on a DC s satisfying the following
2037 # criteria:
2038 #
2039 # * s is a writable DC other than the local DC.
2040 #
2041 # * s is in the same site as the local DC.
2042 #
2043 # * If x is a read-only full replica and x is a domain NC,
2044 # then the DC's functional level is at least
2045 # DS_BEHAVIOR_WIN2008.
2046 #
2047 # * Bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED is set
2048 # in the options attribute of the site settings object for
2049 # the local DC's site, or no tuple z exists in the
2050 # kCCFailedLinks or kCCFailedConnections variables such
2051 # that z.UUIDDsa is the objectGUID of the nTDSDSA object
2052 # for s, z.FailureCount > 0, and the current time -
2053 # z.TimeFirstFailure > 2 hours.
2055 r_list = []
2057 # We'll loop thru all the DSAs looking for
2058 # writeable NC replicas that match the naming
2059 # context dn for (nc_x)
2060 #
2062 # If this partition (nc_x) doesn't appear as a
2063 # replica (f_of_x) on (dc_s) then continue
2065 continue
2067 # Pull out the NCReplica (f) of (x) with the dn
2068 # that matches NC (x) we are examining.
2071 # Replica (f) of NC (x) must be writable
2073 continue
2075 # Replica (f) of NC (x) must satisfy the
2076 # "is present" criteria for DC (s) that
2077 # it was found on
2079 continue
2081 # DC (s) must be a writable DSA other than
2082 # my local DC. In other words we'd only replicate
2083 # from other writable DC
2085 continue
2087 # Certain replica graphs are produced only
2088 # for global catalogs, so test against
2089 # method input parameter
2091 continue
2093 # DC (s) must be in the same site as the local DC
2094 # as this is the intra-site algorithm. This is
2095 # handled by virtue of placing DSAs in per
2096 # site objects (see enclosing for() loop)
2098 # If NC (x) is intended to be read-only full replica
2099 # for a domain NC on the target DC then the source
2100 # DC should have functional level at minimum WIN2008
2101 #
2102 # Effectively we're saying that in order to replicate
2103 # to a targeted RODC (which was introduced in Windows 2008)
2104 # then we have to replicate from a DC that is also minimally
2105 # at that level.
2106 #
2107 # You can also see this requirement in the MS special
2108 # considerations for RODC which state that to deploy
2109 # an RODC, at least one writable domain controller in
2110 # the domain must be running Windows Server 2008
2113 continue
2115 # If we haven't been told to turn off stale connection
2116 # detection and this dsa has a stale connection then
2117 # continue
2119 continue
2121 # Replica meets criteria. Add it to table indexed
2122 # by the GUID of the DC that it appears on
2125 # If a partial (not full) replica of NC (x) "should be present"
2126 # on the local DC, append to R each partial replica (p of x)
2127 # such that p "is present" on a DC satisfying the same
2128 # criteria defined above for full replica DCs.
2129 #
2130 # XXX This loop and the previous one differ only in whether
2131 # the replica is partial or not. here we only accept partial
2132 # (because we're partial); before we only accepted full. Order
2133 # doesn't matter (the list is sorted a few lines down) so these
2134 # loops could easily be merged. Or this could be a helper
2135 # function.
2138 # Now we loop thru all the DSAs looking for
2139 # partial NC replicas that match the naming
2140 # context dn for (NC x)
2143 # If this partition NC (x) doesn't appear as a
2144 # replica (p) of NC (x) on the dsa DC (s) then
2145 # continue
2147 continue
2149 # Pull out the NCReplica with the dn that
2150 # matches NC (x) we are examining.
2153 # Replica (p) of NC (x) must be partial
2155 continue
2157 # Replica (p) of NC (x) must satisfy the
2158 # "is present" criteria for DC (s) that
2159 # it was found on
2161 continue
2163 # DC (s) must be a writable DSA other than
2164 # my DSA. In other words we'd only replicate
2165 # from other writable DSA
2167 continue
2169 # Certain replica graphs are produced only
2170 # for global catalogs, so test against
2171 # method input parameter
2173 continue
2175 # If we haven't been told to turn off stale connection
2176 # detection and this dsa has a stale connection then
2177 # continue
2179 continue
2181 # Replica meets criteria. Add it to table indexed
2182 # by the GUID of the DSA that it appears on
2185 # Append to R the NC replica that "should be present"
2186 # on the local DC
2194 # Add a node for each r_list element to the replica graph
2195 graph_list = []
2200 # For each r(i) from (0 <= i < |R|-1)
2203 # Add an edge from r(i) to r(i+1) if r(i) is a full
2204 # replica or r(i+1) is a partial replica
2208 # Add an edge from r(i+1) to r(i) if r(i+1) is a full
2209 # replica or ri is a partial replica.
2214 # Add an edge from r|R|-1 to r0 if r|R|-1 is a full replica
2215 # or r0 is a partial replica.
2219 # Add an edge from r0 to r|R|-1 if r0 is a full replica or
2220 # r|R|-1 is a partial replica.
2230 dot_edges = []
2255 rw_dot_vertices,
2264 # For each existing nTDSConnection object implying an edge
2265 # from rj of R to ri such that j != i, an edge from rj to ri
2266 # is not already in the graph, and the total edges directed
2267 # to ri is less than n+2, the KCC adds that edge to the graph.
2279 # To optimize replication latency in sites with many NC
2280 # replicas, the KCC adds new edges directed to ri to bring
2281 # the total edges to n+2, where the NC replica rk of R
2282 # from which the edge is directed is chosen at random such
2283 # that k != i and an edge from rk to ri is not already in
2284 # the graph.
2285 #
2286 # Note that the KCC tech ref does not give a number for
2287 # the definition of "sites with many NC replicas". At a
2288 # bare minimum to satisfy n+2 edges directed at a node we
2289 # have to have at least three replicas in |R| (i.e. if n
2290 # is zero then at least replicas from two other graph
2291 # nodes may direct edges to us).
2315 # Print the graph node in debug mode
2318 # For each edge directed to the local DC, ensure a nTDSConnection
2319 # points to us that satisfies the KCC criteria
2325 dot_edges = []
2350 rw_dot_vertices,
2360 """Generate the intrasite KCC connections
2362 As per MS-ADTS 6.2.2.2.
2364 If self.readonly is False, the connections are added to self.samdb.
2366 After this call, all DCs in each site with more than 3 DCs
2367 should be connected in a bidirectional ring. If a site has 2
2368 DCs, they will bidirectionally connected. Sites with many DCs
2369 may have arbitrary extra connections.
2371 :return: None
2372 """
2377 # Test whether local site has topology disabled
2380 return
2387 # Loop thru all the partitions, with gc_only False
2390 detect_stale)
2395 # If the DC is a GC server, the KCC constructs an additional NC
2396 # replica graph (and creates nTDSConnection objects) for the
2397 # config NC as above, except that only NC replicas that "are present"
2398 # on GC servers are added to R.
2403 # Do it again, with gc_only True
2407 detect_stale)
2409 # The DC repeats the NC replica graph computation and nTDSConnection
2410 # creation for each of the NC replica graphs, this time assuming
2411 # that no DC has failed. It does so by re-executing the steps as
2412 # if the bit NTDSSETTINGS_OPT_IS_TOPL_DETECT_STALE_DISABLED were
2413 # set in the options attribute of the site settings object for
2414 # the local DC's site. (ie. we set "detec_stale" flag to False)
2419 # Loop thru all the partitions.
2424 # If the DC is a GC server, the KCC constructs an additional NC
2425 # replica graph (and creates nTDSConnection objects) for the
2426 # config NC as above, except that only NC replicas that "are present"
2427 # on GC servers are added to R.
2440 """Compile a comprehensive list of DSA DNs
2442 These are all the DSAs on all the sites that KCC would be
2443 dealing with.
2445 This method is not idempotent and may not work correctly in
2446 sequence with KCC.run().
2448 :return: a list of DSA DN strings.
2449 """
2457 dsas = []
2461 return dsas
2464 """Load the database using an url, loadparm, and credentials
2466 If force is False, the samdb won't be reloaded if it already
2467 exists.
2469 :param dburl: a database url.
2470 :param lp: a loadparm object.
2471 :param creds: a Credentials object.
2472 :param force: a boolean indicating whether to overwrite.
2474 """
2486 """Helper function to plot and verify NTDSConnections
2488 :param basename: an identifying string to use in filenames and logs.
2489 :param verify_properties: properties to verify (default empty)
2490 """
2493 return
2495 dot_edges = []
2496 dot_vertices = []
2497 edge_colours = []
2498 vertex_colours = []
2523 """Perform a KCC run, possibly updating repsFrom topology
2525 :param dburl: url of the database to work with.
2526 :param lp: a loadparm object.
2527 :param creds: a Credentials object.
2528 :param forced_local_dsa: pretend to be on the DSA with this dn_str
2529 :param forget_local_links: calculate as if no connections existed
2530 (boolean, default False)
2531 :param forget_intersite_links: calculate with only intrasite connection
2532 (boolean, default False)
2533 :param attempt_live_connections: attempt to connect to remote DSAs to
2534 determine link availability (boolean, default False)
2535 :return: 1 on error, 0 otherwise
2536 """
2543 forced_local_dsa)
2546 # Setup
2556 guid_to_dnstr = {}
2564 dot_edges = []
2575 dot_edges = []
2591 dot_edges = []
2592 dot_colours = []
2628 # Encapsulates lp and creds in a function that
2629 # attempts connections to remote DSAs.
2634 return False
2635 return True
2638 # These are the published steps (in order) for the
2639 # MS-TECH description of the KCC algorithm ([MS-ADTS] 6.2.2)
2641 # Step 1
2644 # Step 2
2647 # Step 3
2650 # Step 4
2653 # Step 5
2656 # Step 6
2659 # Step 7
2669 dot_edges = []
2670 edge_colors = []
2685 dot_edges = []
2702 raise
2707 """Import relevant objects and attributes from an LDIF file.
2709 The point of this function is to allow a programmer/debugger to
2710 import an LDIF file with non-security relevant information that
2711 was previously extracted from a DC database. The LDIF file is used
2712 to create a temporary abbreviated database. The KCC algorithm can
2713 then run against this abbreviated database for debug or test
2714 verification that the topology generated is computationally the
2715 same between different OSes and algorithms.
2717 :param dburl: path to the temporary abbreviated db to create
2718 :param lp: a loadparm object.
2719 :param ldif_file: path to the ldif file to import
2720 :param forced_local_dsa: perform KCC from this DSA's point of view
2721 :return: zero on success, 1 on error
2722 """
2725 forced_local_dsa)
2732 """Save KCC relevant details to an ldif file
2734 The point of this function is to allow a programmer/debugger to
2735 extract an LDIF file with non-security relevant information from
2736 a DC database. The LDIF file can then be used to "import" via
2737 the import_ldif() function this file into a temporary abbreviated
2738 database. The KCC algorithm can then run against this abbreviated
2739 database for debug or test verification that the topology generated
2740 is computationally the same between different OSes and algorithms.
2742 :param dburl: LDAP database URL to extract info from
2743 :param lp: a loadparm object.
2744 :param cred: a Credentials object.
2745 :param ldif_file: output LDIF file name to create
2746 :return: zero on success, 1 on error
2747 """
2750 ldif_file)