The ‘samba-tool’ command (which replaces the old ‘net’ command in Samba4) has slowly been being migrated to python. It started off as a pure C program, but with the adoption of python as the primary scripting language for Samba4, we’ve been moving it one subcommand at a time to python.
Currently it is a C program that calls out to python for any subcommands not implemented in the C part of the code. As of last week we had just 5 subcommands left in C, with all the rest implemented using the very nice netcmd python framework that Jelmer did. That works, but it does mean the command line parsing is a bit of a mess, as command line options are first handled by popt in C, then handled again by python code. That leads to some odd behavior.
Yesterday I decided to tackle a couple more of them, in the hope of finally getting rid of the C wrapper in the near future. I started with the ‘samba-tool drs’ commands, which Kamen had done in C earlier in the year. The drs subcommands allow admins to control and query DRS replication, and are a core piece of the command set for any Samba4 sysadmin. I was pleased to find I could re-do all of the drs subcommands in python using about 1/4 of the code, while gaining some better printing of options and flags.
I’ve now started on the samba-tool gpo subcommands, which are for administering Group Policy Objects. That mostly involves some simple LDAP calls, which python is really good at (via the samdb interface), but it will also need some file operations, which will finally give me the excuse to create python interfaces for CIFS file operations. Meanwhile, Andrew Bartlett is working on some token/access_check calls that I will need to test whether a user has access to a GPO object.
This effort is also a good chance for me to learn a bit more about administering GPOs. One of the challenges I have with Samba development is that I don’t actually have much experience as a Windows sysadmin, so I’ve rarely had to deal with the finer details of administering collections of GPOs. Rewriting our GPO admin tool in python should cure me of that deficiency.
After I’ve finished the conversion of ‘samba-tool’ GPO I think we’ll be ready to ditch the C wrapper for samba-tool. I think Jelmer should have the honor of doing that final git rm, as it was his efforts that started us down this track of converting the tool to python. It’s been a very worthwhile effort, but it has taken quite a long time!
w2k3 TSIG/GSS DNS updates
Hongwei (a very helpful Microsoft engineer) and I are still trying to find the cause of the failure of Windows2003 server to register some DNS records with bind9 using TSIG/GSSAPI. I’ve sent Hongwei some new TTT (‘Time Travel Trace’) logs of lsass.exe and svchost.exe in Windows2003 going through its initial registration on reboot. That combined with a parallel network capture should tell us what is going on.The really strange part is that the registration of the _udp, _tcp and _msdcs names works fine, but the registration of the A record for the machine doesn’t ever attempt to negotiate a TKEY needed for a TSIG/GSS DNS update. It is probably related to the split between the dhcp (svchost.exe) process on windows2003 doing the A records, and lsass.exe doing the other DNS names.
I wish we had something like TTT for Linux, it really is an amazing tool for debugging complex issues. When Hongwei gets a trace from me, he can load it into a debugger and navigate backwards and forwards in time in the trace, seeing exactly what is happening in a source level debugger. I’ve seen some pretty impressive demos of reversible debugging using valgrind on Linux, but nothing that yet matches what Hongwei can do with TTT.