From: Andrew Bartlett Date: Thu, 16 Jul 2009 07:37:36 +0000 (+1000) Subject: s4:kdc Rework KDC to pull in less attributes for krbtgt lookups X-Git-Tag: tevent-0.9.8~710^2~84 X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=commitdiff_plain;h=19bc4ce95ca9b2a985313f5eb887275aa6fe3599 s4:kdc Rework KDC to pull in less attributes for krbtgt lookups Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett --- diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 6bad0178629..8a0f12efd8a 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -23,6 +23,8 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" +extern const char *krbtgt_attrs[]; +extern const char *server_attrs[]; extern const char *user_attrs[]; union netr_Validation; diff --git a/source4/auth/sam.c b/source4/auth/sam.c index c396662c127..635d94242f6 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -32,25 +32,37 @@ #include "param/param.h" #include "auth/auth_sam.h" -const char *user_attrs[] = { - /* required for the krb5 kdc */ - "objectClass", - "sAMAccountName", - "userPrincipalName", - "servicePrincipalName", - "msDS-KeyVersionNumber", - "supplementalCredentials", +#define KRBTGT_ATTRS \ + /* required for the krb5 kdc */ \ + "objectClass", \ + "sAMAccountName", \ + "userPrincipalName", \ + "servicePrincipalName", \ + "msDS-KeyVersionNumber", \ + "supplementalCredentials", \ + \ + /* passwords */ \ + "dBCSPwd", \ + "unicodePwd", \ + \ + "userAccountControl", \ + "objectSid", \ + \ + "pwdLastSet", \ + "accountExpires" + +const char *krbtgt_attrs[] = { + KRBTGT_ATTRS +}; - /* passwords */ - "dBCSPwd", - "unicodePwd", +const char *server_attrs[] = { + KRBTGT_ATTRS +}; - "userAccountControl", +const char *user_attrs[] = { + KRBTGT_ATTRS, - "pwdLastSet", - "accountExpires", "logonHours", - "objectSid", /* check 'allowed workstations' */ "userWorkstations", diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 25b0deb082e..435282a0c10 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -1044,11 +1044,10 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, int lret; char *realm_fixed; - const char * const *princ_attrs = user_attrs; lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, realm_dn, LDB_SCOPE_SUBTREE, - &msg, princ_attrs, + &msg, krbtgt_attrs, "(&(objectClass=user)(samAccountName=krbtgt))"); if (lret == LDB_ERR_NO_SUCH_OBJECT) { krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!"); @@ -1134,17 +1133,16 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, } -static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, - struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, - krb5_const_principal principal, - unsigned flags, - hdb_entry_ex *entry_ex) +static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + const char **attrs, + struct ldb_dn **realm_dn, + struct ldb_message **msg) { krb5_error_code ret; const char *realm; - struct ldb_message *msg = NULL; - struct ldb_dn *realm_dn; if (principal->name.name_string.len >= 2) { /* 'normal server' case */ int ldb_ret; @@ -1164,7 +1162,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, * referral instead */ nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db, mem_ctx, principal_string, - &user_dn, &realm_dn); + &user_dn, realm_dn); free(principal_string); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1174,7 +1172,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db, mem_ctx, user_dn, LDB_SCOPE_BASE, - &msg, user_attrs, + msg, attrs, "(objectClass=*)"); if (ldb_ret != LDB_SUCCESS) { return HDB_ERR_NOENTRY; @@ -1183,10 +1181,9 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, } else { int lret; char *filter = NULL; - const char * const *princ_attrs = user_attrs; char *short_princ; /* server as client principal case, but we must not lookup userPrincipalNames */ - realm_dn = ldb_get_default_basedn(db->hdb_db); + *realm_dn = ldb_get_default_basedn(db->hdb_db); realm = krb5_principal_get_realm(context, principal); /* TODO: Check if it is our realm, otherwise give referall */ @@ -1200,8 +1197,8 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, } lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, - realm_dn, LDB_SCOPE_SUBTREE, - &msg, princ_attrs, "(&(objectClass=user)(samAccountName=%s))", + *realm_dn, LDB_SCOPE_SUBTREE, + msg, attrs, "(&(objectClass=user)(samAccountName=%s))", ldb_binary_encode_string(mem_ctx, short_princ)); free(short_princ); if (lret == LDB_ERR_NO_SUCH_OBJECT) { @@ -1215,6 +1212,26 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, } } + return 0; +} + +static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) +{ + krb5_error_code ret; + struct ldb_dn *realm_dn; + struct ldb_message *msg; + + ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal, + server_attrs, &realm_dn, &msg); + if (ret != 0) { + return ret; + } + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_SERVER, realm_dn, msg, entry_ex);