Fix unneeded stops and restarts in AD monitoring

[anodos325]

Ticket #33453

There are a several distinct situations where our AD monitoring will either turn off the Active Directory service or restart the Active Directory service when it is not required.
The improvements are as follows:

1. Use SRV records to enumerate the LDAP servers in the environment and then check to see if the LDAP port is listening on any of them. If we pass this check, then we do not turn off AD service.
   Simplify checks to see if the AD service is properly running, by reducing it to a single test "wbinfo -t". This reduces the liklihood of a false-positive that we are no longer joined to the domain.
2. Add a low-impact recovery attempt if we fail the getStarted() check. Winbind in its current form establishes a connection to only a single DC. It has been observed in testing that if this DC goes down, then we will fail the getStarted() check. Restarting winbind was sufficient in these situations to put the domain join back into a healthy state. Try this first before performing a more disruptive recovery attempt.
3. The default AD DNS timeout and lifetime values make it so that if Nameserver 1 in the FreeNAS configuration is down, then get_SRV_records() in freenasldap.py will always fail (we never try to get SRV records from Nameserver 2). If we reduce the timeout to 1/3 of the overall lifetime, then we will query other nameservers and AD will stay up.

[b-a-t]

rebuild

[b-a-t]

"Make max_tries attempts...." - current value of 3 is definable

[b-a-t]

I understand the reasons you made it this way and that you don't want to mess with sysctl() updates, but I'd keep ability to modify timeout through the sysctl(). How about:

r.timeout = _fs().directoryservice.activedirectory.dns.timeout / 2
Or
r.lifetime = _fs().directoryservice.activedirectory.dns.lifetime * 2

[b-a-t]

Please, try to avoid legacy "%x" % (v) syntax. Use either f'{v}' or '{}'.format(v) instead.

[b-a-t]

It's a bit hard to see it here, but looks like host_list you are referencing here is declared, if any, in another scope. I actually commented about this to you before.
It's declared on an inner scope regarding this one. Also, if if self.name != 'activedirectory': - it's not declared at all. Move host_list = [] outside of the if.

[b-a-t]

Minor thing, but you can just declare above fnldap = None and avoid having else: clause.

[b-a-t]

Better to declare it as: def tryConnect(self, host, port, fnldap = None):

[b-a-t]

Actually, as we only call get_ldap_servers we don't need all this code around fnldap, see below.

[b-a-t]

@miwi-fbsd says that Jenkins fails cause your branch is outdated and requires rebase. Can you try it with next iteration?

[b-a-t]

So, who is the host here? Originally that was one of the DCs, but get_ldap_servers() expects domain instead:

    def get_ldap_servers(domain, site=None):
        dcs = []
        if not domain:
            return dcs

        host = "_ldap._tcp.%s" % domain
        if site:
            host = "_ldap._tcp.%s._sites.%s" % (site, domain)

        dcs = FreeNAS_ActiveDirectory_Base.get_SRV_records(host)
        return dcs

[anodos325]

Host is ultimately from freenas-v1.db here:
sqlite> SELECT sm_host FROM services_servicemonitor ;
sm_host = THEGIBSON.LAN

            thread = ServiceMonitorThread(
                id=s['id'], frequency=s['sm_frequency'], retry=s['sm_retry'],
                host=s['sm_host'], port=s['sm_port'], name=thread_name,
                logger=self.logger, middleware=self.middleware
            )

It is the domain.

[b-a-t]

def port_is_listening(host, port, errors=[]): looks very similar to the given code, except it doesn't set any timeout for the socket connection. It may be reasonable to add:

   def port_is_listening(host, port, errors=[], timeout=0):
       ....
       if timeout:
          s.settimeout(timeout)

in the freenasldap.py.

[jhixson74]

I think we talked about this Andrew, timur is correct

[anodos325]

Okay. Made changes.

[b-a-t]

We can simply call:

host_list = FreeNAS_ActiveDirectory_Base.get_ldap_servers(host)

as it's a static method of the class. So no need for creating fnldap object at all, neither for passing it around.

[b-a-t]

Found in the dns.resolver.__init__ reference to the attribute self.rotate, which shuffles list of the nameservers, allowing to pick the random one for the start. Not sure, does that make any benefit in this situation.

[jhixson74]

I like my bike sheds painted hot pink

[jhixson74]

How about naming this "_restart_activedirectory" since that is what it is actually doing ;-) If you are going to make a reload method, then have to reload samba_server ;-)

[anodos325]

We already have a _restart_active directory method that calls "/etc/directoryservice/ActiveDirectory/ctl restart". I don't see any reason to change the existing restart method because we want to start from a clean slate to ensure proper AD join.

What I would ideally prefer here is regenerating smb4.conf (if needed) and killing / restarting winbind process as an "AD reload". I.e. _reload_cifs, then restart winbind. This will force new DC connection, but not kill existing SMB sessions.

It should be something less than a full "AD restart", but more than just reloading a config file.

[jhixson74]

You can just import FreeNAS_ActiveDirectory here, there is no need to use the base class

[jhixson74]

I think we talked about this Andrew, timur is correct

[jhixson74]

s/FreeNAS_ActiveDirectory_Base/FreeNAS_ActiveDirectory/

[jhixson74]

s/FreeNAS_ActiveDirectory_Base/FreeNAS_ActiveDirectory/

[jhixson74]

Good to go