[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Mon Jun 28 12:32:08 MDT 2010 

The branch, master has been updated
       via  b6eb17e... s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvement
       via  a782eaa... s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/comments
       via  03ffed7... s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where possible
      from  5f9a053... selftest: Remove accidentally committed dummy test.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b6eb17eb1eb23461149b6c8cbefc41f5265a77d9
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Jun 28 20:26:16 2010 +0200

    s4:auth/sam.c - "authsam_expand_nested_groups" - small performance improvement
    
    We can save one search operation if "only_childs" is false and when we had no
    SID passed as extended DN component.

commit a782eaa2fd6f9b7e7b1ebdab0e0b53e4123cca43
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Jun 28 20:25:47 2010 +0200

    s4:auth/sam.c - "authsam_expand_nested_groups" - cosmetic/comments

commit 03ffed73db41e9433ddc41a6fddf79c2a632a043
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Mon Jun 28 19:57:12 2010 +0200

    s4:auth/sam.c - "authsam_expand_nested_groups" - use "dsdb_search_dn" where possible
    
    And always catch LDB errors

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/sam.c |   40 +++++++++++++++++++++++++++-------------
 1 files changed, 27 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index b0fc9ca..d0487ce 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -279,16 +279,16 @@ static bool sids_contains_sid(const struct dom_sid **sids,
 
 
 /*
- * This function generates the transitive closure of a given SID "sid" (it
- * basically expands nested groups of a SID).
- * If the SID isn't located in the "res_sids" structure yet and the
- * "only_childs" flag is negative, we add it to "res_sids".
+ * This function generates the transitive closure of a given SAM object "dn_val"
+ * (it basically expands nested memberships).
+ * If the object isn't located in the "res_sids" structure yet and the
+ * "only_childs" flag is false, we add it to "res_sids".
  * Then we've always to consider the "memberOf" attributes. We invoke the
- * function recursively on each item of it with the "only_childs" flag set to
+ * function recursively on each of it with the "only_childs" flag set to
  * "false".
- * The "only_childs" flag is particularly useful if you have a user SID and
- * want to include all his groups (referenced with "memberOf") without his SID
- * itself, or considering if that SID matches the filter
+ * The "only_childs" flag is particularly useful if you have a user object and
+ * want to include all it's groups (referenced with "memberOf") but not itself
+ * or considering if that object matches the filter.
  *
  * At the beginning "res_sids" should reference to a NULL pointer.
  */
@@ -304,7 +304,7 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
 	struct ldb_dn *dn;
 	struct dom_sid sid;
 	TALLOC_CTX *tmp_ctx;
-	struct ldb_result *res;
+	struct ldb_result *res = NULL;
 	NTSTATUS status;
 	const struct ldb_message_element *el;
 
@@ -320,15 +320,22 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
+	/* We expect an extended DN with the SID included but we can fallback
+	 * to search the extended components if they weren't provided. */
 	status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
 	if (!NT_STATUS_IS_OK(status)) {
-		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
+		ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
+				     DSDB_SEARCH_SHOW_EXTENDED_DN);
+		if (ret != LDB_SUCCESS) {
+			talloc_free(tmp_ctx);
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
 		dn = res->msgs[0]->dn;
 		status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
 	}
 
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, (__location__ ": when parsing DN %s we failed to find or parse SID component, so we cannot calculate the group token: %s\n",
+		DEBUG(0, (__location__ ": when parsing DN %s we failed to find or SID component, so we cannot calculate the group token: %s\n",
 			  ldb_dn_get_extended_linearized(tmp_ctx, dn, 1), 
 			  nt_errstr(status)));
 		talloc_free(tmp_ctx);
@@ -336,7 +343,12 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
 	}
 
 	if (only_childs) {
-		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
+		/* If we didn't get the SID as extended DN then we already have
+		 * performed exactly this search. */
+		if (res == NULL) {
+			ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
+					     DSDB_SEARCH_SHOW_EXTENDED_DN);
+		}
 	} else {
 		/* This is an O(n^2) linear search */
 		already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
@@ -345,7 +357,9 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
 			return NT_STATUS_OK;
 		}
 
-		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s", filter);
+		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+				  attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
+				  filter);
 	}
 
 	if (ret == LDB_ERR_NO_SUCH_OBJECT) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list