usr/src/uts/common/smbsrv/smb_token.h

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  *
  25  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
  26  */
  27
  28 #ifndef _SMB_TOKEN_H
  29 #define _SMB_TOKEN_H
  30
  31 #include <smbsrv/smb_inet.h>
  32 #include <smbsrv/smb_privilege.h>
  33 #include <smbsrv/smb_sid.h>
  34
  35 /*
  36  * Don't want <smbsrv/netrauth.h> in here, but
  37  * uts/common/fs/smbsrv/smb_authenticate.c
  38  * wants this.  Todo: cleanup
  39  */
  40 #define NETR_NETWORK_LOGON                      0x02
  41
  42 #ifdef __cplusplus
  43 extern "C" {
  44 #endif
  45
  46 /*
  47  * 32-bit opaque buffer (non-null terminated strings)
  48  * See also: smb_buf32_xdr()
  49  */
  50 typedef struct smb_buf32 {
  51         uint32_t        len;
  52         uint8_t         *val;
  53 } smb_buf32_t;
  54
  55 /*
  56  * Access Token
  57  *
  58  * An access token identifies a user, the user's privileges and the
  59  * list of groups of which the user is a member. This information is
  60  * used when access is requested to an object by comparing this
  61  * information with the DACL in the object's security descriptor.
  62  *
  63  * There should be one unique token per user per session per client.
  64  *
  65  * Access Token Flags
  66  *
  67  * SMB_ATF_GUEST        Token belongs to guest user
  68  * SMB_ATF_ANON         Token belongs to anonymous user
  69  *                      and it's only good for IPC Connection.
  70  * SMB_ATF_POWERUSER    Token belongs to a Power User member
  71  * SMB_ATF_BACKUPOP     Token belongs to a Power User member
  72  * SMB_ATF_ADMIN        Token belongs to a Domain Admins member
  73  */
  74 #define SMB_ATF_GUEST           0x00000001
  75 #define SMB_ATF_ANON            0x00000002
  76 #define SMB_ATF_POWERUSER       0x00000004
  77 #define SMB_ATF_BACKUPOP        0x00000008
  78 #define SMB_ATF_ADMIN           0x00000010
  79
  80 #define SMB_POSIX_GRPS_SIZE(n) \
  81         (sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
  82 /*
  83  * It consists of the primary and supplementary POSIX groups.
  84  * See also: smb_posix_grps_xdr()
  85  */
  86 typedef struct smb_posix_grps {
  87         uint32_t        pg_ngrps;
  88         gid_t           pg_grps[ANY_SIZE_ARRAY];
  89 } smb_posix_grps_t;
  90
  91 /*
  92  * An NT-style logon "token" (NT terminology)
  93  * See also: smb_token_xdr()
  94  */
  95 typedef struct smb_token {
  96         smb_id_t        tkn_user;
  97         smb_id_t        tkn_owner;
  98         smb_id_t        tkn_primary_grp;
  99         smb_ids_t       tkn_win_grps;
 100         smb_privset_t   *tkn_privileges;
 101         char            *tkn_account_name;
 102         char            *tkn_domain_name;
 103         uint32_t        tkn_flags;
 104         uint32_t        tkn_audit_sid;
 105         smb_buf32_t     tkn_ssnkey;
 106         smb_posix_grps_t *tkn_posix_grps;
 107 } smb_token_t;
 108
 109 /*
 110  * Details required to authenticate a user.
 111  * See also: smb_logon_xdr()
 112  */
 113 typedef struct smb_logon {
 114         uint16_t        lg_level;
 115         char            *lg_username;   /* requested username */
 116         char            *lg_domain;     /* requested domain */
 117         char            *lg_e_username; /* effective username */
 118         char            *lg_e_domain;   /* effective domain */
 119         char            *lg_workstation;
 120         smb_inaddr_t    lg_clnt_ipaddr;
 121         smb_inaddr_t    lg_local_ipaddr;
 122         uint16_t        lg_local_port;
 123         smb_buf32_t     lg_challenge_key;
 124         smb_buf32_t     lg_nt_password;
 125         smb_buf32_t     lg_lm_password;
 126         uint32_t        lg_ntlm_flags;
 127         int             lg_native_os;
 128         int             lg_native_lm;
 129         uint32_t        lg_flags;
 130         uint32_t        lg_logon_id;    /* filled in user space */
 131         uint32_t        lg_domain_type; /* filled in user space */
 132         uint32_t        lg_secmode;     /* filled in user space */
 133         uint32_t        lg_status;      /* filled in user space */
 134 } smb_logon_t;
 135
 136 /*
 137  * This is the name of the local (AF_UNIX) socket
 138  * where the SMB auth. service listens.
 139  */
 140 #define SMB_AUTHSVC_SOCKNAME    "/var/smb/lipc/smbauth"
 141
 142 /*
 143  * Maximum number of authentcation conversations at one time.
 144  * Note this is _NOT_ the max. number of logged on users,
 145  * which can be much larger.
 146  */
 147 #define SMB_AUTHSVC_MAXTHREAD   256
 148
 149 /*
 150  * Messages to and from the local security authority
 151  * Type codes:
 152  */
 153 typedef enum smb_lsa_mtype {
 154         /* reply types */
 155         LSA_MTYPE_OK    = 0,
 156         LSA_MTYPE_ERROR,
 157         LSA_MTYPE_ES_DONE,      /* ext. sec: authenticated */
 158         LSA_MTYPE_ES_CONT,      /* more processing required */
 159         LSA_MTYPE_TOKEN,        /* smb_token_t */
 160
 161         /* request types */
 162         LSA_MTYPE_OLDREQ,       /* non-ext. sec. session setup */
 163         LSA_MTYPE_CLINFO,       /* client info sent at start of ES */
 164         LSA_MTYPE_ESFIRST,      /* spnego initial message */
 165         LSA_MTYPE_ESNEXT,       /* spnego continuation */
 166         LSA_MTYPE_GETTOK        /* after ES auth, get token */
 167 } smb_lsa_mtype_t;
 168
 169 /*
 170  * msg: header common to all message types
 171  */
 172 typedef struct smb_lsa_msg_hdr {
 173         uint32_t        lmh_msgtype;    /* smb_lsa_mtype_t */
 174         uint32_t        lmh_msglen;     /* size of what follows */
 175 } smb_lsa_msg_hdr_t;
 176
 177 /*
 178  * eresp: error response
 179  * msgtype: LSA_MTYPE_ERESP
 180  */
 181 typedef struct smb_lsa_eresp {
 182         uint32_t        ler_ntstatus;
 183         uint16_t        ler_errclass;
 184         uint16_t        ler_errcode;
 185 } smb_lsa_eresp_t;
 186
 187 /*
 188  * Message for LSA_MTYPE_CLINFO
 189  */
 190 typedef struct smb_lsa_clinfo {
 191         smb_inaddr_t    lci_clnt_ipaddr;
 192         unsigned char   lci_challenge_key[8];
 193         int             lci_native_os;
 194         int             lci_native_lm;
 195 } smb_lsa_clinfo_t;
 196
 197 struct XDR;
 198 int smb_logon_xdr(struct XDR *, smb_logon_t *);
 199 int smb_token_xdr(struct XDR *, smb_token_t *);
 200
 201 #if defined(_KERNEL)
 202 void smb_token_free(smb_token_t *);
 203 #else /* _KERNEL */
 204 smb_token_t *smb_logon(smb_logon_t *);
 205 void smb_logon_abort(void);
 206 void smb_token_destroy(smb_token_t *);
 207 uint8_t *smb_token_encode(smb_token_t *, uint32_t *);
 208 void smb_token_log(smb_token_t *);
 209 smb_logon_t *smb_logon_decode(uint8_t *, uint32_t);
 210 void smb_logon_free(smb_logon_t *);
 211 #endif /* _KERNEL */
 212
 213 int smb_token_query_privilege(smb_token_t *token, int priv_id);
 214 boolean_t smb_token_valid(smb_token_t *);
 215
 216 #ifdef __cplusplus
 217 }
 218 #endif
 219
 220 #endif /* _SMB_TOKEN_H */