s4:kdc Rework KDC to pull in less attributes for krbtgt lookups

Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case.  Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.

Andrew Bartlett

2 files changed, 29 insertions, 15 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 6bad017862..8a0f12efd8 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -23,6 +23,8 @@
 
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 
+extern const char *krbtgt_attrs[];
+extern const char *server_attrs[];
 extern const char *user_attrs[];
 
 union netr_Validation;
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c396662c12..635d94242f 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -32,25 +32,37 @@
 #include "param/param.h"
 #include "auth/auth_sam.h"
 
-const char *user_attrs[] = {
-	/* required for the krb5 kdc */
-	"objectClass",
-	"sAMAccountName",
-	"userPrincipalName",
-	"servicePrincipalName",
-	"msDS-KeyVersionNumber",
-	"supplementalCredentials",
+#define KRBTGT_ATTRS \
+	/* required for the krb5 kdc */		\
+	"objectClass",				\
+	"sAMAccountName",			\
+	"userPrincipalName",			\
+	"servicePrincipalName",			\
+	"msDS-KeyVersionNumber",		\
+	"supplementalCredentials",		\
+						\
+	/* passwords */				\
+	"dBCSPwd",				\
+	"unicodePwd",				\
+						\
+	"userAccountControl",			\
+	"objectSid",				\
+						\
+	"pwdLastSet",				\
+	"accountExpires"			
+
+const char *krbtgt_attrs[] = {
+	KRBTGT_ATTRS
+};
 
-	/* passwords */
-	"dBCSPwd", 
-	"unicodePwd",
+const char *server_attrs[] = {
+	KRBTGT_ATTRS
+};
 
-	"userAccountControl",
+const char *user_attrs[] = {
+	KRBTGT_ATTRS,
 
-	"pwdLastSet",
-	"accountExpires",
 	"logonHours",
-	"objectSid",
 
 	/* check 'allowed workstations' */
 	"userWorkstations",