summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-07-16 17:37:36 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-07-17 08:26:49 +1000
commit19bc4ce95ca9b2a985313f5eb887275aa6fe3599 (patch)
tree0a8f1df46ecd030986493ca6d9b7b7bb6c88adf3
parentd7b31ff853ac06d5021314be698109f8487770f9 (diff)
downloadsamba-19bc4ce95ca9b2a985313f5eb887275aa6fe3599.tar.gz
samba-19bc4ce95ca9b2a985313f5eb887275aa6fe3599.tar.bz2
samba-19bc4ce95ca9b2a985313f5eb887275aa6fe3599.zip
s4:kdc Rework KDC to pull in less attributes for krbtgt lookups
Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
-rw-r--r--source4/auth/auth.h2
-rw-r--r--source4/auth/sam.c42
-rw-r--r--source4/kdc/hdb-samba4.c49
3 files changed, 62 insertions, 31 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 6bad017862..8a0f12efd8 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -23,6 +23,8 @@
#include "librpc/gen_ndr/ndr_krb5pac.h"
+extern const char *krbtgt_attrs[];
+extern const char *server_attrs[];
extern const char *user_attrs[];
union netr_Validation;
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c396662c12..635d94242f 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -32,25 +32,37 @@
#include "param/param.h"
#include "auth/auth_sam.h"
-const char *user_attrs[] = {
- /* required for the krb5 kdc */
- "objectClass",
- "sAMAccountName",
- "userPrincipalName",
- "servicePrincipalName",
- "msDS-KeyVersionNumber",
- "supplementalCredentials",
+#define KRBTGT_ATTRS \
+ /* required for the krb5 kdc */ \
+ "objectClass", \
+ "sAMAccountName", \
+ "userPrincipalName", \
+ "servicePrincipalName", \
+ "msDS-KeyVersionNumber", \
+ "supplementalCredentials", \
+ \
+ /* passwords */ \
+ "dBCSPwd", \
+ "unicodePwd", \
+ \
+ "userAccountControl", \
+ "objectSid", \
+ \
+ "pwdLastSet", \
+ "accountExpires"
+
+const char *krbtgt_attrs[] = {
+ KRBTGT_ATTRS
+};
- /* passwords */
- "dBCSPwd",
- "unicodePwd",
+const char *server_attrs[] = {
+ KRBTGT_ATTRS
+};
- "userAccountControl",
+const char *user_attrs[] = {
+ KRBTGT_ATTRS,
- "pwdLastSet",
- "accountExpires",
"logonHours",
- "objectSid",
/* check 'allowed workstations' */
"userWorkstations",
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 25b0deb082..435282a0c1 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1044,11 +1044,10 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
int lret;
char *realm_fixed;
- const char * const *princ_attrs = user_attrs;
lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
realm_dn, LDB_SCOPE_SUBTREE,
- &msg, princ_attrs,
+ &msg, krbtgt_attrs,
"(&(objectClass=user)(samAccountName=krbtgt))");
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!");
@@ -1134,17 +1133,16 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
}
-static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
- struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
- krb5_const_principal principal,
- unsigned flags,
- hdb_entry_ex *entry_ex)
+static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ const char **attrs,
+ struct ldb_dn **realm_dn,
+ struct ldb_message **msg)
{
krb5_error_code ret;
const char *realm;
- struct ldb_message *msg = NULL;
- struct ldb_dn *realm_dn;
if (principal->name.name_string.len >= 2) {
/* 'normal server' case */
int ldb_ret;
@@ -1164,7 +1162,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
* referral instead */
nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
mem_ctx, principal_string,
- &user_dn, &realm_dn);
+ &user_dn, realm_dn);
free(principal_string);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1174,7 +1172,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db,
mem_ctx,
user_dn, LDB_SCOPE_BASE,
- &msg, user_attrs,
+ msg, attrs,
"(objectClass=*)");
if (ldb_ret != LDB_SUCCESS) {
return HDB_ERR_NOENTRY;
@@ -1183,10 +1181,9 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
} else {
int lret;
char *filter = NULL;
- const char * const *princ_attrs = user_attrs;
char *short_princ;
/* server as client principal case, but we must not lookup userPrincipalNames */
- realm_dn = ldb_get_default_basedn(db->hdb_db);
+ *realm_dn = ldb_get_default_basedn(db->hdb_db);
realm = krb5_principal_get_realm(context, principal);
/* TODO: Check if it is our realm, otherwise give referall */
@@ -1200,8 +1197,8 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
}
lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
- realm_dn, LDB_SCOPE_SUBTREE,
- &msg, princ_attrs, "(&(objectClass=user)(samAccountName=%s))",
+ *realm_dn, LDB_SCOPE_SUBTREE,
+ msg, attrs, "(&(objectClass=user)(samAccountName=%s))",
ldb_binary_encode_string(mem_ctx, short_princ));
free(short_princ);
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
@@ -1215,6 +1212,26 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
}
}
+ return 0;
+}
+
+static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex)
+{
+ krb5_error_code ret;
+ struct ldb_dn *realm_dn;
+ struct ldb_message *msg;
+
+ ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal,
+ server_attrs, &realm_dn, &msg);
+ if (ret != 0) {
+ return ret;
+ }
+
ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
principal, HDB_SAMBA4_ENT_TYPE_SERVER,
realm_dn, msg, entry_ex);