okay, i have so much to talk about. storage layer for kova is shipped. it's a from-scratch vector DB in rust, and the storage layer is the bit where every decision has to survive a kill -9 and come back the same. that constraint touches every file, every fsync, every byte format vectors live in an mmap file. fixed stride (a tiny per-slot header plus dim*4 bytes for the data), and every slot self-describes its id and a present flag. no sidecar index file, no separate id->offset map. the cost is that open is O(N): you walk every slot to rebuild the in-memory id_to_slot. the win is there's no two-file atomicity problem: the data IS the index, can't drift from itself. for the workloads i care about (millions of vectors, opened rarely), that's a great trade file growth is doubling, and never shrinks. doubling so per-insert grows amortise away and do not cost much. never shrinks because truncating an mmap region with an outstanding reference is SIGBUS, exactly the kind of bug i shipped once and found much later. deletes don't shrink the file either; freed slots go on a free-list and the next insert reuses them, so a delete-heavy workload stays compact without anyone running vacuum metadata is the opposite shape, so it gets opposite treatment. variable-size (open key-value bags), cold (only read for the final k candidates, not on every graph edge), small in aggregate. so the metadata store keeps the whole map in memory and persists via atomic_write (tmp fsync rename dirsync) on mutation. full-file snapshot, no mmap, no sidecar, no free-list. forcing mmap onto variable-size data would mean a separate id->(offset, length) sidecar plus a free-list for resize-on-update, which is a B-tree in disguise. different access patterns deserve different storage strategies; the same hammer for both is just dogma the WAL is segmented (64 MB rotation), CRC32 length framing per record, torn-tail recovery on the active segment, multi-segment replay in LSN order. the segmentation makes truncate O(1): delete the superseded files all of that gets composed by Shard under strict log-then-mutate. every insert moves through three phases: validate, commit (wal.append wal.sync), apply (index metadata). phase 3 failures panic. the WAL is truth; pretending otherwise to the caller is the only way to corrupt the log on retry. postgres ships this. rocksdb ships this the real centerpiece is Shard::checkpoint. on paper it's "snapshot the index, truncate the WAL." in practice it's six phases that have to commit atomically across multiple files: vacuum tombstones, fsync the WAL to capture a durable LSN, stream the HNSW graph to a snapshot file, write the manifest, truncate the WAL, delete the old snapshot. anywhere in those six phases the process can die, and every kill window has to have a defined answer the whole thing rests on this: the manifest is the only commit point. a tiny atomic_write of a few bytes, names which snapshot generation is live. everything before it is staging. everything after it is best-effort cleanup. kill before the manifest commits, reopen sees the old world and replays the full WAL. kill after, reopen sees the new world and replays WAL only past the checkpoint LSN the snapshot itself is also atomic_write'd (streaming variant, so we don't buffer the whole graph in memory before the rename), but you can't commit snapshot manifest as one operation: POSIX has no atomic_rename_n. so the problem splits naturally. write the big data file atomically and fsync it. then write the tiny pointer file atomically. the manifest exists precisely so that multi-file durability has a single commit point above the data, instead of trying to make the data itself self-committing. and keeping them separate means the checkpoint pays for one snapshot rewrite per checkpoint, not per manifest update; the pointer stays cheap to update even when the thing it points at is huge and snapshots are named graph.{N}.snapshot, not graph.snapshot, for the same reason. a single overwrite has a half-written window where the file is partial but the manifest still points at it. generation numbers let the old file stay valid right up until the manifest atomically swaps the pointer. same trick postgres uses for its SLRU pages. names are cheap, ordering is not 300 SIGKILL torture iterations. 55,697 acked inserts. 962 checkpoints. zero data loss. 234 tests green.

I am just getting started. Its a whole layer of DirSync, Migrations, and orchestrator. It is so cool so far. Connects to AD over Kestrel (DB) and and Agent. Nice to get behind GCC High orgs.

Pythonでバックアップを自動化！ 毎回ファイルをコピペしてる人は dirsync が超便利。 たった数行で、HDDや共有フォルダへの同期が完了。 3つのパターンさえ覚えれば、今日から手動作業無用。 #Python

OktaのMicrosoft Office 365アプリでプロビジョニングを有効にして保存しようとすると、「UNEXPECTED_ERROR」エラーが表示される件（ユーザー同期以上に変更しようとするとコケる） どうやら不具合らしいのでご注意を PowerShellでDirSyncを有効にすれば解決する support.okta.com/help/s/arti…

⚠️ Microsoft Security Update Causes Active Directory Sync Failures on Windows Server 2025 Read more: cybersecuritynews.com/micros… Microsoft's security updates have triggered synchronization failures in Active Directory environments running on Windows Server 2025. The issue, confirmed on October 14, 2025, affects directory synchronization for large security groups, potentially halting critical identity management processes across enterprise networks. Applications relying on the Active Directory directory synchronization (DirSync) control, such as Microsoft Entra Connect Sync, fail to replicate AD security groups with more than 10,000 members fully. #cybersecuritynews #windows

⚠️ Problemas en la sincronización de directorios #ActiveDirectory con Entra Connect Si ustedes tienen: • Grupos de seguridad con más de 10 mil miembros sincronizados (DirSync) • Controladores de dominio con #WindowsServer 2025

From the early days of DirSync, there hasn't been such an interesting security shift. Until now, user credentials were used, often with excessive permissions, and in some cases, even a domain admin object was responsible for the sync. Now, we have service principal certificate. It's definitely worth checking and switching, but be mindful of the subtleties and requirements. It's definitely worth checking and switching, but be mindful of the subtleties and requirements. There's no doubt this significantly reduces risks and attack vectors. So, what are the remaining and new exploitation methods? We’ll discuss that next time :) learn.microsoft.com/en-us/en…

HCL Domino DirSync / Lesson learned - shorturl.at/x7wDL @HCL_CollabSup @HCLAmbassadors

#MSXFAQ Externe Member, Gast, Kontakt msxfaq.de/cloud/identity/ext… - Diese Seite beschäftigst sich mit den vier grundlegenden Benutzerkonten im EntraID, den Exchange Kontakten und deren Verwendung in Exchange/Outlook und Teams. Besonders interessant für Multi-Tenant mit Dirsync

Also its not uncommon to find multiple old sync accounts from older tenants, whenever someone set up new DirSync/AADConnect box, it generated new sync account.

- wrote a letter to IT director of midsize business at age 16 asking for unpaid internship - repaired desktops/laptops part time for said company (paid) 😎 - graduated high school - still did the intern thing, got a B.S. in business/MIS - changed jobs, did sysadmin work - got into cloud at 2014 🌧️ anyone remember dirsync? 😎 - did the management thing for a while but wasn’t my passion - got into hacking in 2016, made me a better defender - did all things AD because of @PyroTek3 - got certified in cloud stuff - hacking clouds now 🌧️

You all realize this all started for me when it was called dirsync. 😂

C:\ on /mnt/c type 9p (rw,noatime,dirsync,aname=drvfs;path=C:\;uid=1000;gid=100;symlinkroot=/mnt/,mmap,access=client,msize=65536,trans=fd,rfd=5,wfd=5) Linux側にはmodeとかmaskとかオプションなさそうなんだよな

Not sure you can DCSync via schannel auth. Fairly sure you could DirSync via schannel auth, but I don't believe it will return secrets even with a secure ldap channel due to the nature of LDAP vs RPC.

exFAT Driver Boasts Much Faster "dirsync" Performance With Linux 6.9 phoronix.com/news/Linux-6.9-…

This is easier in other roles In think. If a T2 tech asks if there's an opening on my team, but has to ask me where the Object tab is in ADUC, can't run a gpresult wo help, and looks at me funny when I start talking about FSMO, PHS, CAPs and dirsync, that's not gatekeeping.

Also, I'm sure you noted the difference, but DirSync (LDAP) vs DCSync (RPC)

Per @joewaredotnet there's also a DirSync per object mode to access DirSync w/o Replicating* rights, but no documentation. And as far as I know, nobody's got it working yet? blog.joeware.net/2018/05/25/…

CVE-2023-4154 A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Cont… cve.org/CVERecord?id=CVE-202…

Samba CVE-2023-4154 score a bit low? Aka "In normal operation, passwords and (most) secrets are never disclosed over LDAP in Active Directory. However, ... can instead obtain all domain secrets, including the core AD secret: the krbtgt password" Imagine someone read those forums, and farmed all those KRBTGTs 5 years staight : D Not like people weren't saying: - "Bug 13556 - dirsync is untested and narrowly avoids security issues" - "As foreshadowed in bugzilla.samba.org/show_bug.… dirsync has multiple potential and real issues." - " The dirsync code is misleading and contains dead code that is never hit (due to a single incorrect line of code). However, if this incorrect line of code were corrected, then it could turn into a security hole." First posted: 2018-08-02 03:35:29 UTC