[PATCHES] Add samba-tool visualize

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCHES] Add samba-tool visualize

Samba - samba-technical mailing list
At times active directory can be terribly confusing with so many DCs
all busily doing amazing things that do not necessarily seem to lead
to successful replication. At these times you might be tempted to try
`samba-tool drs show-repl`, revealing a large clump of text that seems
to trace a delicate path between, but not including, human-readable
and machine-readable. At this point you might wish for a higher level
overview -- some means to grasp the situation as a whole -- so that
even if you proceed to panic you have a fuller narrative about why you
are panicking. Perhaps what you need is `samba-tool visualize`,
provided by this patchset. Actually, you probably need more of it than
is provided here -- and there is more, but 4.8 won't wait for it.

The tool has two modes of operation, '--distance' and '--dot'. '--dot'
generates Graphviz dot files that describe a graph; you need dot or
xdot to actually view the graph. It was stolen from samba_kcc which
can under duress be made to draw replication graphs a lot like those
of `samba-tool visualize ntdsconn --dot`. The default mode, '--distance'
draws a distance matrix or heatmap. Here's a very simple example, from
the tests:

| $ bin/samba-tool visualize ntdsconn -H $SERVER -U $USER%$PASS --color=no --shorten-names
|
| NTDS Connections known to CN=LOCALVAMPIREDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com
|                           destination
|                      ,--- *,CN=LOCALDC+
|                      |,-- *,CN=LOCALVAMPIREDC+
|               source ||,- *,CN=PROMOTEDVDC+
|        *,CN=LOCALDC+ 0--
| *,CN=LOCALVAMPIREDC+ 10-
|    *,CN=PROMOTEDVDC+ --0
|
| '*' stands for 'CN=NTDS Settings'
| '+' stands for ',CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com'
|
| Data can get from source to destination in the indicated number of steps.
| 0 means zero steps (it is the same DC)
| 1 means a direct link
| 2 means a transitive link involving two steps (i.e. one intermediate DC)
| - means there is no connection, even through other DCs

That is telling you that the only connection is from LOCALVAMPIREDC to
LOCALDC, which is one of situations in which you might reasonably
panic if you didn't know that it was a test environment of dubious
origin that had only been up for 3 seconds. But supposing you were
panicking, one thing you might want to know is what the other DCs
thought was going on. The above picture is LOCALVAMPIREDC's point of
view. To ask all the DCs at once, you add '--talk-to-remote' (or
'-r').

| $ bin/samba-tool visualize ntdsconn -H $SERVER -U $USER%$PASS --color=no --shorten-names -r
|
| NTDS Connections known to each destination DC
|                           destination
|                      ,--- *,CN=LOCALDC+
|                      |,-- *,CN=LOCALVAMPIREDC+
|               source ||,- *,CN=PROMOTEDVDC+
|        *,CN=LOCALDC+ 0--
| *,CN=LOCALVAMPIREDC+ 10-
|    *,CN=PROMOTEDVDC+ 210

which shows us that things are not *quite* so bad.

If you ask about repsFrom/To objects, you should use '-r', because
these are not replicated. And I'll add '--utf8' to test your email
clients:

| $ bin/samba-tool visualize reps -H $SERVER -U $USER%$PASS --shorten-names -r --utf8
|
| RepsFrom objects for CONFIGURATION
|                         destination
|                    ╭─── CN=LOCALDC+
|                    │╭── CN=LOCALVAMPIREDC+
|             source ││╭─ CN=PROMOTEDVDC+
|        CN=LOCALDC+ ·11
| CN=LOCALVAMPIREDC+ 1·1
|    CN=PROMOTEDVDC+ 21·
|
| '+' stands for ',CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=example,DC=com'
|
| Data can get from source to destination in the indicated number of steps.
| · means zero steps (it is the same DC)
| 1 means a direct link
| 2 means a transitive link involving two steps (i.e. one intermediate DC)
| - means there is no connection, even through other DCs

With '--color=yes' (or '--color=auto' in a terminal, or
'--color-scheme=<any of a number of undocumented strings>'), you get
colour output in the style of a heatmap. 'No' is currently default. I
can't do colour here, but are some pictures at

https://www.samba.org/~dbagnall/visualize/

along with some of the dot graphs.

You might be wondering why this is a whole new sub-tree, and not
something like `samba-tool drs visualize`. The main reason is this
quite experimental and it is nicer to experiment when you know there
are no easily breakable things around. As you will see from the
patches, this touches few existing files. Another reason is I'd like
there to be non-DRS visualisations which can at least start their
lives under `samba-tool visualize`.

Please review, etc.

Douglas

visualize.patch (94K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] Add samba-tool visualize

Samba - samba-technical mailing list
On 08/01/18 10:42, Douglas Bagnall wrote:
>  Perhaps what you need is `samba-tool visualize`,
> provided by this patchset. Actually, you probably need more of it than
> is provided here -- and there is more, but 4.8 won't wait for it.

One thing I have but am not at all happy with yet is 'samba-tool
visualize drs' which tries to overlay all the different AD graphs on
top of each other so you can see how they relate. There are
site-edges, reps, ntds connections, schedules, edge weights, rodc
connections, and all kinds of flags and oddities. The trick is in
finding a balance between looking floral and being meaningful, within
the confines of the not-actually-all-that-expressive dot language.
(Possibly it is truly impossible to describe this stuff in less space
than MS-ADTS).

Another one I want is a picture that shows recency of communication.
It is all very well knowing that your machines think they can talk to
each other while not actually doing so in practice.

Would it be useful to be able to generate ASCII art network sequence
diagrams tracing a change through the network?

Douglas

Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] Add samba-tool visualize

Samba - samba-technical mailing list
There's still some patches that need to be upstreamed in regards to last
update time, because that's continuously clobbered still in the repsTo
case. There's a few objects with update times stored, some of which are
possibly redundant. We probably need to figure out which times are
actually helpful.

I was wondering if we might get more mileage out of plainly overriding
assertEquals checking for string types. I can't recall the default
behaviour being that great, although there's probably a lot that isn't
multi-line. It could break something too, I suppose.

Garming


On 8/01/2018 11:21 AM, Douglas Bagnall via samba-technical wrote:

> On 08/01/18 10:42, Douglas Bagnall wrote:
>>   Perhaps what you need is `samba-tool visualize`,
>> provided by this patchset. Actually, you probably need more of it than
>> is provided here -- and there is more, but 4.8 won't wait for it.
> One thing I have but am not at all happy with yet is 'samba-tool
> visualize drs' which tries to overlay all the different AD graphs on
> top of each other so you can see how they relate. There are
> site-edges, reps, ntds connections, schedules, edge weights, rodc
> connections, and all kinds of flags and oddities. The trick is in
> finding a balance between looking floral and being meaningful, within
> the confines of the not-actually-all-that-expressive dot language.
> (Possibly it is truly impossible to describe this stuff in less space
> than MS-ADTS).
>
> Another one I want is a picture that shows recency of communication.
> It is all very well knowing that your machines think they can talk to
> each other while not actually doing so in practice.
>
> Would it be useful to be able to generate ASCII art network sequence
> diagrams tracing a change through the network?
>
> Douglas
>