s4:kdc Rework KDC to pull in less attributes for krbtgt lookups

Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
author: Andrew Bartlett <abartlet@samba.org> 2009-07-16 17:37:36 +1000
committer: Andrew Bartlett <abartlet@samba.org> 2009-07-17 08:26:49 +1000
commit: 19bc4ce95ca9b2a985313f5eb887275aa6fe3599 (patch)
tree: 0a8f1df46ecd030986493ca6d9b7b7bb6c88adf3 /source4/kdc/hdb-samba4.c
parent: d7b31ff853ac06d5021314be698109f8487770f9 (diff)
download: samba-19bc4ce95ca9b2a985313f5eb887275aa6fe3599.tar.gz
1 files changed, 33 insertions, 16 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 25b0deb082e..435282a0c10 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1044,11 +1044,10 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
 
 		int lret;
 		char *realm_fixed;
-		const char * const *princ_attrs = user_attrs;
  		
 		lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, 
 						       realm_dn, LDB_SCOPE_SUBTREE,
-						       &msg, princ_attrs, 
+						       &msg, krbtgt_attrs, 
 						       "(&(objectClass=user)(samAccountName=krbtgt))"); 
 		if (lret == LDB_ERR_NO_SUCH_OBJECT) {
 			krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!");
@@ -1134,17 +1133,16 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
 
 }
 
-static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, 
-					struct loadparm_context *lp_ctx,
-					TALLOC_CTX *mem_ctx, 
-					krb5_const_principal principal,
-					unsigned flags,
-					hdb_entry_ex *entry_ex)
+static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, 
+						struct loadparm_context *lp_ctx,
+						TALLOC_CTX *mem_ctx, 
+						krb5_const_principal principal,
+						const char **attrs,
+						struct ldb_dn **realm_dn,
+						struct ldb_message **msg)
 {
 	krb5_error_code ret;
 	const char *realm;
-	struct ldb_message *msg = NULL;
-	struct ldb_dn *realm_dn;
 	if (principal->name.name_string.len >= 2) {
 		/* 'normal server' case */
 		int ldb_ret;
@@ -1164,7 +1162,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
 		 * referral instead */
 		nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
 							 mem_ctx, principal_string, 
-							 &user_dn, &realm_dn);
+							 &user_dn, realm_dn);
 		free(principal_string);
 		
 		if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1174,7 +1172,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
 		ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db,
 							  mem_ctx, 
 							  user_dn, LDB_SCOPE_BASE,
-							  &msg, user_attrs,
+							  msg, attrs,
 							  "(objectClass=*)");
 		if (ldb_ret != LDB_SUCCESS) {
 			return HDB_ERR_NOENTRY;
@@ -1183,10 +1181,9 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
 	} else {
 		int lret;
 		char *filter = NULL;
-		const char * const *princ_attrs = user_attrs;
 		char *short_princ;
 		/* server as client principal case, but we must not lookup userPrincipalNames */
-		realm_dn = ldb_get_default_basedn(db->hdb_db);
+		*realm_dn = ldb_get_default_basedn(db->hdb_db);
 		realm = krb5_principal_get_realm(context, principal);
 		
 		/* TODO: Check if it is our realm, otherwise give referall */
@@ -1200,8 +1197,8 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
 		}
 		
 		lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, 
-						       realm_dn, LDB_SCOPE_SUBTREE,
-						       &msg, princ_attrs, "(&(objectClass=user)(samAccountName=%s))", 
+						       *realm_dn, LDB_SCOPE_SUBTREE,
+						       msg, attrs, "(&(objectClass=user)(samAccountName=%s))", 
 						       ldb_binary_encode_string(mem_ctx, short_princ));
 		free(short_princ);
 		if (lret == LDB_ERR_NO_SUCH_OBJECT) {
@@ -1215,6 +1212,26 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
 		}
 	}
 
+	return 0;
+}
+
+static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, 
+					       struct loadparm_context *lp_ctx,
+					       TALLOC_CTX *mem_ctx, 
+					       krb5_const_principal principal,
+					       unsigned flags,
+					       hdb_entry_ex *entry_ex)
+{
+	krb5_error_code ret;
+	struct ldb_dn *realm_dn;
+	struct ldb_message *msg;
+
+	ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal, 
+				       server_attrs, &realm_dn, &msg);
+	if (ret != 0) {
+		return ret;
+	}
+
 	ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, 
 				principal, HDB_SAMBA4_ENT_TYPE_SERVER,
 				realm_dn, msg, entry_ex);
author	Andrew Bartlett <abartlet@samba.org>	2009-07-16 17:37:36 +1000
committer	Andrew Bartlett <abartlet@samba.org>	2009-07-17 08:26:49 +1000
commit	19bc4ce95ca9b2a985313f5eb887275aa6fe3599 (patch)
tree	0a8f1df46ecd030986493ca6d9b7b7bb6c88adf3 /source4/kdc/hdb-samba4.c
parent	d7b31ff853ac06d5021314be698109f8487770f9 (diff)
download	samba-19bc4ce95ca9b2a985313f5eb887275aa6fe3599.tar.gz