git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d7b31ff)
s4:kdc Rework KDC to pull in less attributes for krbtgt lookups
authorAndrew Bartlett <abartlet@samba.org>
Thu, 16 Jul 2009 07:37:36 +0000 (17:37 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 16 Jul 2009 22:26:49 +0000 (08:26 +1000)
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case.  Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.

Andrew Bartlett

source4/auth/auth.h patch | blob | history
source4/auth/sam.c patch | blob | history
source4/kdc/hdb-samba4.c patch | blob | history

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 6bad0178629f46bb749d0e8e3986d5069b2aa04d..8a0f12efd8aae39077d2ccdc51e16b70d340c91c 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -23,6 +23,8 @@
 
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 
+extern const char *krbtgt_attrs[];
+extern const char *server_attrs[];
 extern const char *user_attrs[];
 
 union netr_Validation;
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c396662c127dd78aae6301c22eba4f979f5f8438..635d94242f6012643b8a21b153fddd82298a0402 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -32,25 +32,37 @@
 #include "param/param.h"
 #include "auth/auth_sam.h"
 
-const char *user_attrs[] = {
-       /* required for the krb5 kdc */
-       "objectClass",
-       "sAMAccountName",
-       "userPrincipalName",
-       "servicePrincipalName",
-       "msDS-KeyVersionNumber",
-       "supplementalCredentials",
+#define KRBTGT_ATTRS \
+       /* required for the krb5 kdc */         \
+       "objectClass",                          \
+       "sAMAccountName",                       \
+       "userPrincipalName",                    \
+       "servicePrincipalName",                 \
+       "msDS-KeyVersionNumber",                \
+       "supplementalCredentials",              \
+                                               \
+       /* passwords */                         \
+       "dBCSPwd",                              \
+       "unicodePwd",                           \
+                                               \
+       "userAccountControl",                   \
+       "objectSid",                            \
+                                               \
+       "pwdLastSet",                           \
+       "accountExpires"                        
+
+const char *krbtgt_attrs[] = {
+       KRBTGT_ATTRS
+};
 
-       /* passwords */
-       "dBCSPwd", 
-       "unicodePwd",
+const char *server_attrs[] = {
+       KRBTGT_ATTRS
+};
 
-       "userAccountControl",
+const char *user_attrs[] = {
+       KRBTGT_ATTRS,
 
-       "pwdLastSet",
-       "accountExpires",
        "logonHours",
-       "objectSid",
 
        /* check 'allowed workstations' */
        "userWorkstations",
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 25b0deb082e995227fe7e48b889b32ea1e51af79..435282a0c103dedc8d559e0dfc553bae7a8e1769 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1044,11 +1044,10 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
 
                int lret;
                char *realm_fixed;
-               const char * const *princ_attrs = user_attrs;
                
                lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, 
                                                       realm_dn, LDB_SCOPE_SUBTREE,
-                                                      &msg, princ_attrs, 
+                                                      &msg, krbtgt_attrs, 
                                                       "(&(objectClass=user)(samAccountName=krbtgt))"); 
                if (lret == LDB_ERR_NO_SUCH_OBJECT) {
                        krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!");
@@ -1134,17 +1133,16 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
 
 }
 
-static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, 
-                                       struct loadparm_context *lp_ctx,
-                                       TALLOC_CTX *mem_ctx, 
-                                       krb5_const_principal principal,
-                                       unsigned flags,
-                                       hdb_entry_ex *entry_ex)
+static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, 
+                                               struct loadparm_context *lp_ctx,
+                                               TALLOC_CTX *mem_ctx, 
+                                               krb5_const_principal principal,
+                                               const char **attrs,
+                                               struct ldb_dn **realm_dn,
+                                               struct ldb_message **msg)
 {
        krb5_error_code ret;
        const char *realm;
-       struct ldb_message *msg = NULL;
-       struct ldb_dn *realm_dn;
        if (principal->name.name_string.len >= 2) {
                /* 'normal server' case */
                int ldb_ret;
@@ -1164,7 +1162,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
                 * referral instead */
                nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
                                                         mem_ctx, principal_string, 
-                                                        &user_dn, &realm_dn);
+                                                        &user_dn, realm_dn);
                free(principal_string);
                
                if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1174,7 +1172,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
                ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db,
                                                          mem_ctx, 
                                                          user_dn, LDB_SCOPE_BASE,
-                                                         &msg, user_attrs,
+                                                         msg, attrs,
                                                          "(objectClass=*)");
                if (ldb_ret != LDB_SUCCESS) {
                        return HDB_ERR_NOENTRY;
@@ -1183,10 +1181,9 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
        } else {
                int lret;
                char *filter = NULL;
-               const char * const *princ_attrs = user_attrs;
                char *short_princ;
                /* server as client principal case, but we must not lookup userPrincipalNames */
-               realm_dn = ldb_get_default_basedn(db->hdb_db);
+               *realm_dn = ldb_get_default_basedn(db->hdb_db);
                realm = krb5_principal_get_realm(context, principal);
                
                /* TODO: Check if it is our realm, otherwise give referall */
@@ -1200,8 +1197,8 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
                }
                
                lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, 
-                                                      realm_dn, LDB_SCOPE_SUBTREE,
-                                                      &msg, princ_attrs, "(&(objectClass=user)(samAccountName=%s))", 
+                                                      *realm_dn, LDB_SCOPE_SUBTREE,
+                                                      msg, attrs, "(&(objectClass=user)(samAccountName=%s))", 
                                                       ldb_binary_encode_string(mem_ctx, short_princ));
                free(short_princ);
                if (lret == LDB_ERR_NO_SUCH_OBJECT) {
@@ -1215,6 +1212,26 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
                }
        }
 
+       return 0;
+}
+
+static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, 
+                                              struct loadparm_context *lp_ctx,
+                                              TALLOC_CTX *mem_ctx, 
+                                              krb5_const_principal principal,
+                                              unsigned flags,
+                                              hdb_entry_ex *entry_ex)
+{
+       krb5_error_code ret;
+       struct ldb_dn *realm_dn;
+       struct ldb_message *msg;
+
+       ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal, 
+                                      server_attrs, &realm_dn, &msg);
+       if (ret != 0) {
+               return ret;
+       }
+
        ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, 
                                principal, HDB_SAMBA4_ENT_TYPE_SERVER,
                                realm_dn, msg, entry_ex);
Samba Shared Repository