1 Implementing SAM replication in Samba 3 Richard-Guillaume Renard > IDEALX solutions > SAM replication howto > BDC side > PDC side
2 IDEALX the Open Source leader in France Founded in feb Engineering Team : 60 people in january, growing... Main Shareholder : Caisse des Dépôts et Consignation (largest french investor, financing leading e-gov. projects like electronic citizen cards) IDEALX is the reference Open Source partner for French Fortune-100 and Government IDEALX User Club gathers requests from corporations and enable partial financing of Samba developments (Thanks to Gaz de France for funding the TSE work)
3 Best Open Source Solutions > Security solutions IDX-PKI is the #1 PKI in France Beating every large proprietary editor Expanding in Europe Recommended in the latest O'Reilly book ( PKI Open Source ) > Infrastructure Solutions Migration Server is an integrated package of OSS components for NT replacement projects (Samba, LDAP, DNS, DHCP, etc.) Adopted by most of the retail sector (Auchan, Décathlon, Castorama/King Fisher, etc.) New IMC platform for developping user friendly Web console tools
4 IMC in action... See more at idealx.org
5 Did we mention our PKI offering...? See details at idx-pki.idealx.org
6 And now for something completely different...
7 Why implementing NT replication protocol Allow NT and Samba to work together. in organizations when DCs are at distant locations Easier migration Smoother transition, and test period Samba could use this mechanism for replication too We could add some Samba specific fields.
8 NT4 Domain One master called PDC (Primary Domain Controller) Holds the master copy of the SAM database Many secondary called BDC (Backup DC) Holds read-only copy of the SAM SAM composed of 3 Databases Accounts Built-in LSA
9 Synchronisation Mechanism When a modification is made on the PDC's SAM, a notification message is sent to BDCs. Notification message contains serial number for each Databases. Synchronisation can occur immediately after a change accout policy change, locked account or after a delay (5 to 15 min) adding/deleting users/groups
10 Synchronisation Mechanism Replication is a pull process, BDC makes a call on the \\NETLOGON pipe of the PDC for changes after receiving notification When asking, BDC gives its databases state (serial n ) The three databases are independent for sync, database is specified when the request is made.
11 Two Synchronisation Types Partial Sync (NetDatabaseDeltas) contains only recent changes made on the domain based on sequence number Full Sync (NetDatabaseSync) contains all SAM database informations initiated when BDC enters in a domain when BDC is out of sync if crash happened during last sync
12 Notification Message Notification message contains serial n for each DBs, this number have two states: current database state BDC should be in sync, does not ask for deltas 0xFFFFFFFF BDC not in sync, ask for deltas If given serial number is wrong or outdated a Full Sync is requested by the PDC
13 Notification Message... Microsoft Windows Logon Protocol... Command: Announce Change to UAS or SAM (0x0a) Low Serial Number: 350 Date/Time: Pulse: 7200 Random: 1 PDC Name: PDC Domain Name: DOMAIN Unicode PDC Name: PDC Unicode Domain Name: DOMAIN DB Count: 3 DBChange Info Structure: index 0 Database Index: 0 Large Serial Number: NT Date/Time: Jan 8, :43: DBChange Info Structure: index 1 Database Index: 1 Large Serial Number: 2 NT Date/Time: Jan 8, :54: DBChange Info Structure: index 2 Database Index: 2 Large Serial Number: 30 NT Date/Time: Jan 8, :56:
14 DatabaseDeltas Reply contains an array of SAM objects users groups and synchronisation points modification_count delta The next serial number that should be used for the next sync is contained before the delta array
15 DatabaseDeltas DCE RPC Microsoft Network Logon Operation: NetrDatabaseDeltas (7) AUTHENTICATOR: return_authenticator Credential: CDB74399FCD60FB8 Timestamp: Oct 13, :40: MODIFIED_COUNT: domain modified count Modify Count: 384 DELTA_ENUM_ARRAY: deltas Referent ID: 0x Num Deltas: 1 DELTA_ENUM: deltas Referent ID: 0x0016d2d0 Max Count: 1 DELTA_ENUM:User VMNTBDC3$ Delta Type: User (5) DELTA_ID_UNION: DELTA_UNION: VMNTBDC3$ Delta Type: User (5) DELTA_USER: VMNTBDC3$
16 DatabaseSync Serial number is contained in DOMAIN delta Microsoft Network Logon Operation: NetrDatabaseSync2 (16) AUTHENTICATOR: return_authenticator Credential: 2EA86FD3F8C14890 Timestamp: Feb 7, :02: Sync Context: 1 DELTA_ENUM_ARRAY: deltas Referent ID: 0x00165f88 Num Deltas: 11 DELTA_ENUM: deltas Referent ID: 0x00165fd0 Max Count: 11 DELTA_ENUM:Domain VMTEST DELTA_ENUM:Group DELTA_ENUM:User DELTA_ENUM:Group Member
17 BDC side what is needed We need to act upon reception of a notification event Mailslot\NETLOGON Need to store serial number for next sync Should consider our local SAM as a read-only copy
18 BDC side what is working Understands notification message Ask PDC for deltas or full sync Supported domain operations : adding/deleting user, group modifying username all password policy options Based on vampire code, which is moved into rpc_client/cli_netlogon_util.c Serial numbers stored in tdb
19 BDC side what is left to do SAM attributes local groups privileges, trusted domains Add a system to prevent modifications of the SAM by command line tools or RPC calls?
20 BDC side suggestions, shortcomings Why not temporarily store deltas before applying? Current implementation requires smbd to be started before nmbd (because of the need to get PDC name) Should we remove our local SAM when full sync is requested? NT PDC seems to see Samba as a second class BDC PDC keeps sending notifications immediate notifications are not immediately sent to us
21 PDC side what is needed We need to support all SAM attributes, even if we don't use them. Need to keep a list of all our BDCs and their synchro status Need to keep track of operations done on the domain (users, groups, policy, etc...), all or only a part? Some fields are still unknown
22 Serial numbers Serial numbers seems to have their own life sometimes incrementation makes sense 1 for a user or group, 2 for domain infos sometimes not 4 deltas, increment is only 3 As a PDC should we care about?
23 PDC side what exists rpc_parse/parse_net.c contains stuff to marshall / unmarshall deltas client code
24 PDC side what's left 2 missing RPC calls NetDatabaseSync NetDatabaseDeltas All the system to keep track of the modifications done on the SAM The notification system
25 Roadmap The goal is to have something that works by the end of June So it can be tested and merged into 3.x
PassTest Bessere Qualität, bessere Dienstleistungen! Q&A Exam : 70-640 Title : Windows Server 2008 Active Directory. Configuring Version : Demo 1 / 28 1.You have a single Active Directory domain. All domain
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
ESET Remote Administrator Installation Manual and User Guide we protect your digital worlds contents Contents 1. Introduction... 4 2. ERA client/server architecture... 5 2.1 ERA Server (ERAS)...5 2.1.1
HP D2D NAS Integration with HP Data Protector 6.11 Abstract This guide provides step by step instructions on how to configure and optimize HP Data Protector 6.11 in order to back up to HP D2D Backup Systems
User Guide BackupAssist User Guides explain how to create and modify backup jobs, create backups and perform restores. These steps are explained in more detail in a guide s respective whitepaper. Whitepapers
Parallels Panel Contents About This Document 3 Integration and Automation Capabilities 4 Command-Line Interface (CLI) 8 API RPC Protocol 9 Event Handlers 11 Panel Notifications 13 APS Packages 14 C H A
Dell KACE K1000 Management Appliance Service Desk Administrator Guide Release 5.3 Revision Date: May 13, 2011 2004-2011 Dell, Inc. All rights reserved. Information concerning third-party copyrights and
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
SYMANTEC ServiceDesk Customization Guide 7.0 Symantec ServiceDesk 7 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
GALSYNC V4.3 Manual NETSEC 18. March 2013 NETsec GmbH & Co.KG Schillingsstrasse 117 DE - 52355 Düren THE ADVANTAGES OF GALSYNC... 6 EASY TO USE... 6 NO SECURITY RISKS IN YOUR FIREWALL... 6 VALUES FOR YOUR
The Intelligent Surveillance Solution Titan NVR Server User Manual Ver. 188.8.131.52026.00 Table of Contents 1. Installation... 4 1.1 Installation Process... 4 1.2 LED Status Definitions... 12 2. Settings...
Borland StarTeam 2009 StarTeam Server Help Borland Software Corporation 8310 N Capital of Texas Hwy, Bldg 2, Ste 100 Austin, Texas 78731 USA www.borland.com Borland Software Corporation may have patents
MCAFEE APPLICATION CONTROL / CHANGE CONTROL BEST PRACTICES GUIDE Version 0.4 20 December 2011 About This Guide The purpose of this guide is to provide best practices for initial usage of the three main
BMC Remedy Action Request System 7.0 Administering BMC Remedy Email Engine May 2006 Part No: 58475 Copyright 2006 BMC Software, Inc. All rights reserved. BMC, the BMC logo, all other BMC product or service
DameWare Remote Support Legal Copyright 1995-2015 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled,
Zabbix : Interview 2012 of Alexei Vladishev Monitoring-fr : Results in 2011 for Zabbix: objectives achieved? What are your main satisfactions and disappointments? Alexei Vladishev : I am happy to say that
Product Guide McAfee Enterprise Mobility Management 11.0 Software For use with epolicy Orchestrator 4.6.5-5.0 Software COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS
Microsoft Exchange Server 2010 Microsoft William R. Stanek Author and Series Editor Administrator s Pocket Consultant Microsoft prepress is early content, straight from the source. What makes it prepress?
Installation and Upgrade Guide Copyright Statement Copyright Acronis International GmbH, 2002-2014. All rights reserved. Acronis and Acronis Secure Zone are registered trademarks of Acronis International
Best Practices for Deploying and Managing Linux with Red Hat Network Abstract This technical whitepaper provides a best practices overview for companies deploying and managing their open source environment
Outline Introduction to Mimosa Archive... 1 What to expect... 2 Why are we using this program?... 2 Webmail... 2 Search methods... 3 Quick Search... 3 Browse... 4 View messages... 6 Restore messages...