diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-06-04 14:07:35 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-06-04 14:10:11 +1000 |
commit | dfd56dd29415b06b5ea137f8c333da42e8ff1aa6 (patch) | |
tree | 487d0e8f42b6f2c39b15fcea4a1ae52b60518a6b /source4/kdc | |
parent | 0849c1ef77a0538d5d232016a51c002e2197e776 (diff) | |
download | samba-dfd56dd29415b06b5ea137f8c333da42e8ff1aa6.tar.gz samba-dfd56dd29415b06b5ea137f8c333da42e8ff1aa6.tar.xz samba-dfd56dd29415b06b5ea137f8c333da42e8ff1aa6.zip |
changed the auth path to use extended DN ops to avoid non-indexed searches
Logs showed that every SAM authentication was causing a non-indexed
ldb search for member=XXX. This was previously indexed in Samba4, but
since we switched to using the indexes from the full AD schema it now
isn't.
The fix is to use the extended DN operations to allow us to ask the
server for the memberOf attribute instead, with with the SIDs attached
to the result. This also means one less search on every
authentication.
The patch is made more complex by the fact that some common routines
use the result of these user searches, so we had to update all
searches that uses user_attrs and those common routines to make sure
they all returned a ldb_message with a memberOf filled in and the SIDs
attached.
Diffstat (limited to 'source4/kdc')
-rw-r--r-- | source4/kdc/hdb-samba4.c | 52 |
1 files changed, 25 insertions, 27 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 585285795f..28a82bcf61 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -921,18 +921,15 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con krb5_const_principal principal, enum hdb_ldb_ent_type ent_type, struct ldb_dn *realm_dn, - struct ldb_message ***pmsg) + struct ldb_message **pmsg) { krb5_error_code ret; int lret; char *filter = NULL; const char * const *princ_attrs = user_attrs; - char *short_princ; char *short_princ_talloc; - struct ldb_result *res = NULL; - ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ); if (ret != 0) { @@ -969,19 +966,18 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con return ENOMEM; } - lret = ldb_search(ldb_ctx, mem_ctx, &res, realm_dn, - LDB_SCOPE_SUBTREE, princ_attrs, "%s", filter); - if (lret != LDB_SUCCESS) { - DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx))); + lret = gendb_search_single_extended_dn(ldb_ctx, mem_ctx, + realm_dn, LDB_SCOPE_SUBTREE, + pmsg, princ_attrs, "%s", filter); + if (lret == LDB_ERR_NO_SUCH_OBJECT) { + DEBUG(3, ("Failed find a entry for %s\n", filter)); return HDB_ERR_NOENTRY; - } else if (res->count == 0 || res->count > 1) { - DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count)); - talloc_free(res); + } + if (lret != LDB_SUCCESS) { + DEBUG(3, ("Failed single search for for %s - %s\n", + filter, ldb_errstring(ldb_ctx))); return HDB_ERR_NOENTRY; } - talloc_steal(mem_ctx, res->msgs); - *pmsg = res->msgs; - talloc_free(res); return 0; } @@ -989,7 +985,7 @@ static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context TALLOC_CTX *mem_ctx, const char *realm, struct ldb_dn *realm_dn, - struct ldb_message ***pmsg) + struct ldb_message **pmsg) { int lret; char *filter = NULL; @@ -1015,7 +1011,7 @@ static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context return HDB_ERR_NOENTRY; } talloc_steal(mem_ctx, res->msgs); - *pmsg = res->msgs; + *pmsg = res->msgs[0]; talloc_free(res); return 0; } @@ -1060,7 +1056,7 @@ static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, char *principal_string; struct ldb_dn *realm_dn; krb5_error_code ret; - struct ldb_message **msg = NULL; + struct ldb_message *msg = NULL; ret = krb5_unparse_name(context, principal, &principal_string); @@ -1082,7 +1078,7 @@ static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, ret = LDB_message2entry(context, db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_CLIENT, - realm_dn, msg[0], entry_ex); + realm_dn, msg, entry_ex); return ret; } @@ -1093,7 +1089,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, hdb_entry_ex *entry_ex) { krb5_error_code ret; - struct ldb_message **msg = NULL; + struct ldb_message *msg = NULL; struct ldb_dn *realm_dn = ldb_get_default_basedn(db->hdb_db); const char *realm; struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(db->hdb_db, "loadparm"), struct loadparm_context); @@ -1146,7 +1142,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, ret = LDB_message2entry(context, db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, - realm_dn, msg[0], entry_ex); + realm_dn, msg, entry_ex); if (ret != 0) { krb5_warnx(context, "LDB_fetch: self krbtgt message2entry failed"); } @@ -1183,7 +1179,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, ret = LDB_trust_message2entry(context, db, lp_ctx, mem_ctx, principal, direction, - realm_dn, msg[0], entry_ex); + realm_dn, msg, entry_ex); if (ret != 0) { krb5_warnx(context, "LDB_fetch: trust_message2entry failed"); } @@ -1204,7 +1200,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, { krb5_error_code ret; const char *realm; - struct ldb_message **msg = NULL; + struct ldb_message *msg = NULL; struct ldb_dn *realm_dn; if (principal->name.name_string.len >= 2) { /* 'normal server' case */ @@ -1232,10 +1228,12 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, return HDB_ERR_NOENTRY; } - ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db, - mem_ctx, user_dn, &msg, user_attrs); - - if (ldb_ret != 1) { + ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db, + mem_ctx, + user_dn, LDB_SCOPE_BASE, + &msg, user_attrs, + "(objectClass=*)"); + if (ldb_ret != LDB_SUCCESS) { return HDB_ERR_NOENTRY; } @@ -1257,7 +1255,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, ret = LDB_message2entry(context, db, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_SERVER, - realm_dn, msg[0], entry_ex); + realm_dn, msg, entry_ex); if (ret != 0) { krb5_warnx(context, "LDB_fetch: message2entry failed"); } |