search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit '42a3762d0138d6dd0c0f96964be98d0b21ab6bef'
[unleashed.git] / usr / src / lib / smbsrv / libmlsvc / common / smb_logon.c
blobc3680d2f19017d879ceb8d20f7e7dd36179a27ac
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2016 by Delphix. All rights reserved.
24 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 #include <unistd.h>
28 #include <strings.h>
29 #include <pwd.h>
30 #include <grp.h>
31 #include <time.h>
32 #include <syslog.h>
33 #include <assert.h>
34 #include <synch.h>
35
36 #include <smbsrv/libsmb.h>
37 #include <smbsrv/libmlsvc.h>
38
39 #include <smbsrv/smbinfo.h>
40 #include <smbsrv/smb_token.h>
41 #include <lsalib.h>
42
43 static smb_account_t smb_guest;
44 static smb_account_t smb_domusers;
45 static rwlock_t smb_logoninit_rwl;
46
47 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
48
49 static void smb_logon_local(smb_logon_t *, smb_token_t *);
50 static void smb_logon_guest(smb_logon_t *, smb_token_t *);
51 static void smb_logon_anon(smb_logon_t *, smb_token_t *);
52
53 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
54 smb_passwd_t *);
55
56 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
57 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
58 static uint32_t smb_token_setup_anon(smb_token_t *token);
59
60 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
61 static uint32_t smb_token_setup_wingrps(smb_token_t *);
62 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
63
64 static void smb_guest_account(char *, size_t);
65
66 /* Consolidation private function from Network Repository */
67 extern int _getgroupsbymember(const char *, gid_t[], int, int);
68
69 static idmap_stat
70 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
71 {
72 idmap_stat stat;
73 smb_idmap_t *sim;
74 smb_id_t *id;
75 int i;
76
77 if (!token || !sib)
78 return (IDMAP_ERR_ARG);
79
80 sim = sib->sib_maps;
81
82 if (token->tkn_flags & SMB_ATF_ANON) {
83 token->tkn_user.i_id = UID_NOBODY;
84 token->tkn_owner.i_id = UID_NOBODY;
85 } else {
86 /* User SID */
87 id = &token->tkn_user;
88 sim->sim_id = &id->i_id;
89 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
90 id->i_sid, SMB_IDMAP_USER);
91
92 if (stat != IDMAP_SUCCESS)
93 return (stat);
94
95 /* Owner SID */
96 id = &token->tkn_owner;
97 sim->sim_id = &id->i_id;
98 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
99 id->i_sid, SMB_IDMAP_USER);
100
101 if (stat != IDMAP_SUCCESS)
102 return (stat);
103 }
104
105 /* Primary Group SID */
106 id = &token->tkn_primary_grp;
107 sim->sim_id = &id->i_id;
108 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
109 SMB_IDMAP_GROUP);
110
111 if (stat != IDMAP_SUCCESS)
112 return (stat);
113
114 /* Other Windows Group SIDs */
115 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
116 id = &token->tkn_win_grps.i_ids[i];
117 sim->sim_id = &id->i_id;
118 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
119 id->i_sid, SMB_IDMAP_GROUP);
120
121 if (stat != IDMAP_SUCCESS)
122 break;
123 }
124
125 return (stat);
126 }
127
128 /*
129 * smb_token_sids2ids
130 *
131 * This will map all the SIDs of the access token to UIDs/GIDs.
132 *
133 * Returns 0 upon success. Otherwise, returns -1.
134 */
135 static int
136 smb_token_sids2ids(smb_token_t *token)
137 {
138 idmap_stat stat;
139 int nmaps;
140 smb_idmap_batch_t sib;
141
142 /*
143 * Number of idmap lookups: user SID, owner SID, primary group SID,
144 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
145 */
146 if (token->tkn_flags & SMB_ATF_ANON)
147 nmaps = token->tkn_win_grps.i_cnt + 1;
148 else
149 nmaps = token->tkn_win_grps.i_cnt + 3;
150
151 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
152 if (stat != IDMAP_SUCCESS)
153 return (-1);
154
155 stat = smb_token_idmap(token, &sib);
156 if (stat != IDMAP_SUCCESS) {
157 smb_idmap_batch_destroy(&sib);
158 return (-1);
159 }
160
161 stat = smb_idmap_batch_getmappings(&sib);
162 smb_idmap_check("smb_idmap_batch_getmappings", stat);
163 smb_idmap_batch_destroy(&sib);
164
165 return (stat == IDMAP_SUCCESS ? 0 : -1);
166 }
167
168 /*
169 * smb_token_create_pxgrps
170 *
171 * Setup the POSIX group membership of the access token if the given UID is
172 * a POSIX UID (non-ephemeral). Both the user's primary group and
173 * supplementary groups will be added to the POSIX group array of the access
174 * token.
175 */
176 static smb_posix_grps_t *
177 smb_token_create_pxgrps(uid_t uid)
178 {
179 struct passwd *pwd;
180 smb_posix_grps_t *pgrps;
181 int ngroups_max, num;
182 gid_t *gids;
183
184 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
185 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
186 return (NULL);
187 }
188
189 pwd = getpwuid(uid);
190 if (pwd == NULL) {
191 pgrps = malloc(sizeof (smb_posix_grps_t));
192 if (pgrps == NULL)
193 return (NULL);
194
195 pgrps->pg_ngrps = 0;
196 return (pgrps);
197 }
198
199 if (pwd->pw_name == NULL) {
200 pgrps = malloc(sizeof (smb_posix_grps_t));
201 if (pgrps == NULL)
202 return (NULL);
203
204 pgrps->pg_ngrps = 1;
205 pgrps->pg_grps[0] = pwd->pw_gid;
206 return (pgrps);
207 }
208
209 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
210 if (gids == NULL) {
211 return (NULL);
212 }
213 bzero(gids, ngroups_max * sizeof (gid_t));
214
215 gids[0] = pwd->pw_gid;
216
217 /*
218 * Setup the groups starting at index 1 (the last arg)
219 * of gids array.
220 */
221 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
222
223 if (num == -1) {
224 syslog(LOG_ERR, "smb_logon: unable "
225 "to get user's supplementary groups");
226 num = 1;
227 }
228
229 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
230 if (pgrps) {
231 pgrps->pg_ngrps = num;
232 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
233 }
234
235 free(gids);
236 return (pgrps);
237 }
238
239 /*
240 * smb_token_destroy
241 *
242 * Release all of the memory associated with a token structure. Ensure
243 * that the token has been unlinked before calling.
244 */
245 void
246 smb_token_destroy(smb_token_t *token)
247 {
248 if (token != NULL) {
249 smb_sid_free(token->tkn_user.i_sid);
250 smb_sid_free(token->tkn_owner.i_sid);
251 smb_sid_free(token->tkn_primary_grp.i_sid);
252 smb_ids_free(&token->tkn_win_grps);
253 smb_privset_free(token->tkn_privileges);
254 free(token->tkn_posix_grps);
255 free(token->tkn_account_name);
256 free(token->tkn_domain_name);
257 free(token->tkn_ssnkey.val);
258 bzero(token, sizeof (smb_token_t));
259 free(token);
260 }
261 }
262
263 /*
264 * Token owner should be set to local Administrators group
265 * in two cases:
266 * 1. The logged on user is a member of Domain Admins group
267 * 2. They are a member of local Administrators group
268 */
269 static void
270 smb_token_set_owner(smb_token_t *token)
271 {
272 #ifdef SMB_SUPPORT_GROUP_OWNER
273 smb_sid_t *owner_sid;
274
275 if (token->tkn_flags & SMB_ATF_ADMIN) {
276 owner_sid = smb_wka_get_sid("Administrators");
277 assert(owner_sid);
278 } else {
279 owner_sid = token->tkn_user->i_sid;
280 }
281
282 token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
283 #endif
284 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
285 }
286
287 static smb_privset_t *
288 smb_token_create_privs(smb_token_t *token)
289 {
290 smb_privset_t *privs;
291 smb_giter_t gi;
292 smb_group_t grp;
293 int rc;
294
295 privs = smb_privset_new();
296 if (privs == NULL)
297 return (NULL);
298
299 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
300 smb_privset_free(privs);
301 return (NULL);
302 }
303
304 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
305 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
306 smb_privset_merge(privs, grp.sg_privs);
307 smb_lgrp_free(&grp);
308 }
309 smb_lgrp_iterclose(&gi);
310
311 if (token->tkn_flags & SMB_ATF_ADMIN) {
312 char admgrp[] = "Administrators";
313
314 rc = smb_lgrp_getbyname(admgrp, &grp);
315 if (rc == SMB_LGRP_SUCCESS) {
316 smb_privset_merge(privs, grp.sg_privs);
317 smb_lgrp_free(&grp);
318 }
319
320 /*
321 * This privilege is required to view/edit SACL
322 */
323 smb_privset_enable(privs, SE_SECURITY_LUID);
324 }
325
326 return (privs);
327 }
328
329 static void
330 smb_token_set_flags(smb_token_t *token)
331 {
332 if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
333 token->tkn_flags |= SMB_ATF_ADMIN;
334
335 if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
336 token->tkn_flags |= SMB_ATF_POWERUSER;
337
338 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
339 token->tkn_flags |= SMB_ATF_BACKUPOP;
340 }
341
342 /*
343 * Common token setup for both local and domain users.
344 * This function must be called after the initial setup
345 * has been done.
346 *
347 * Note that the order of calls in this function are important.
348 *
349 * Returns B_TRUE for success.
350 */
351 boolean_t
352 smb_token_setup_common(smb_token_t *token)
353 {
354 smb_token_set_flags(token);
355
356 smb_token_set_owner(token);
357 if (token->tkn_owner.i_sid == NULL)
358 return (B_FALSE);
359
360 /* Privileges */
361 token->tkn_privileges = smb_token_create_privs(token);
362 if (token->tkn_privileges == NULL)
363 return (B_FALSE);
364
365 if (smb_token_sids2ids(token) != 0) {
366 syslog(LOG_ERR, "%s\\%s: idmap failed",
367 token->tkn_domain_name, token->tkn_account_name);
368 return (B_FALSE);
369 }
370
371 /* Solaris Groups */
372 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
373
374 return (smb_token_valid(token));
375 }
376
377 uint32_t
378 smb_logon_init(void)
379 {
380 uint32_t status;
381
382 (void) rw_wrlock(&smb_logoninit_rwl);
383 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
384 if (status != NT_STATUS_SUCCESS) {
385 (void) rw_unlock(&smb_logoninit_rwl);
386 return (status);
387 }
388
389 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
390 &smb_domusers);
391 if (status != NT_STATUS_SUCCESS) {
392 smb_account_free(&smb_guest);
393 bzero(&smb_guest, sizeof (smb_account_t));
394 (void) rw_unlock(&smb_logoninit_rwl);
395 return (status);
396 }
397
398 (void) rw_unlock(&smb_logoninit_rwl);
399 return (status);
400 }
401
402 void
403 smb_logon_fini(void)
404 {
405 (void) rw_wrlock(&smb_logoninit_rwl);
406 smb_account_free(&smb_guest);
407 smb_account_free(&smb_domusers);
408 bzero(&smb_guest, sizeof (smb_account_t));
409 bzero(&smb_domusers, sizeof (smb_account_t));
410 (void) rw_unlock(&smb_logoninit_rwl);
411 }
412
413 /*
414 * Perform user authentication.
415 *
416 * The dispatched functions must only update the user_info status if they
417 * attempt to authenticate the user.
418 *
419 * On success, a pointer to a new access token is returned.
420 * On failure, NULL return and status in user_info->lg_status
421 */
422 smb_token_t *
423 smb_logon(smb_logon_t *user_info)
424 {
425 static smb_logonop_t ops[] = {
426 smb_logon_anon,
427 smb_logon_local,
428 smb_logon_domain,
429 smb_logon_guest
430 };
431 smb_token_t *token = NULL;
432 smb_domain_t domain;
433 int n_op = (sizeof (ops) / sizeof (ops[0]));
434 int i;
435
436 user_info->lg_secmode = smb_config_get_secmode();
437
438 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
439 user_info->lg_domain_type = domain.di_type;
440 else
441 user_info->lg_domain_type = SMB_DOMAIN_NULL;
442
443 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
444 syslog(LOG_ERR, "logon[%s\\%s]: %m",
445 user_info->lg_e_domain, user_info->lg_e_username);
446 return (NULL);
447 }
448
449 /*
450 * If any logonop function takes significant action
451 * (logon or authoratative failure) it will change
452 * this status field to something else.
453 */
454 user_info->lg_status = NT_STATUS_NO_SUCH_USER;
455 for (i = 0; i < n_op; ++i) {
456 (*ops[i])(user_info, token);
457
458 if (user_info->lg_status == NT_STATUS_SUCCESS)
459 break;
460 }
461
462 if (user_info->lg_status == NT_STATUS_SUCCESS) {
463 if (smb_token_setup_common(token))
464 return (token); /* success */
465 /*
466 * (else) smb_token_setup_common failed, which usually
467 * means smb_token_sids2ids() failed to map some SIDs to
468 * Unix IDs. This indicates an idmap config problem.
469 */
470 user_info->lg_status = NT_STATUS_INTERNAL_ERROR;
471 }
472
473 smb_token_destroy(token);
474
475 /*
476 * Any unknown user or bad password should result in
477 * NT_STATUS_LOGON_FAILURE (so we don't give hints).
478 */
479 if (user_info->lg_status == NT_STATUS_NO_SUCH_USER ||
480 user_info->lg_status == NT_STATUS_WRONG_PASSWORD)
481 user_info->lg_status = NT_STATUS_LOGON_FAILURE;
482
483 return (NULL);
484 }
485
486 /*
487 * If the user has an entry in the local database, attempt local authentication.
488 *
489 * In domain mode, we try to exclude domain accounts, which we do by only
490 * accepting local or null (blank) domain names here. Some clients (Mac OS)
491 * don't always send the domain name.
492 *
493 * If we are not going to attempt authentication, this function must return
494 * without updating the status.
495 */
496 static void
497 smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
498 {
499 char guest[SMB_USERNAME_MAXLEN];
500 smb_passwd_t smbpw;
501 uint32_t status;
502
503 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
504 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
505 (user_info->lg_domain_type != SMB_DOMAIN_NULL))
506 return;
507 }
508
509 /*
510 * If the requested account name is "guest" (or whatever
511 * our guest account is named) then don't handle it here.
512 * Let this request fall through to smb_logon_guest().
513 */
514 smb_guest_account(guest, SMB_USERNAME_MAXLEN);
515 if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0)
516 return;
517
518 status = smb_token_auth_local(user_info, token, &smbpw);
519 if (status == NT_STATUS_SUCCESS)
520 status = smb_token_setup_local(&smbpw, token);
521
522 user_info->lg_status = status;
523 }
524
525 /*
526 * Guest authentication. This may be a local guest account or the guest
527 * account may be mapped to a local account. These accounts are regular
528 * accounts with normal password protection.
529 *
530 * Only proceed with a guest logon if previous logon options have resulted
531 * in NO_SUCH_USER.
532 *
533 * If we are not going to attempt authentication, this function must return
534 * without updating the status.
535 */
536 static void
537 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
538 {
539 char guest[SMB_USERNAME_MAXLEN];
540 smb_passwd_t smbpw;
541 char *temp;
542
543 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
544 return;
545
546 /* Get the name of the guest account. */
547 smb_guest_account(guest, SMB_USERNAME_MAXLEN);
548
549 /* Does the guest account exist? */
550 if (smb_pwd_getpwnam(guest, &smbpw) == NULL)
551 return;
552
553 /* Is it enabled? (empty p/w is OK) */
554 if (smbpw.pw_flags & SMB_PWF_DISABLE)
555 return;
556
557 /*
558 * OK, give the client a guest logon. Note that on entry,
559 * lg_e_username is typically something other than "guest"
560 * so we need to set the effective username when createing
561 * the guest token.
562 */
563 temp = user_info->lg_e_username;
564 user_info->lg_e_username = guest;
565 user_info->lg_status = smb_token_setup_guest(user_info, token);
566 user_info->lg_e_username = temp;
567 }
568
569 /*
570 * If user_info represents an anonymous user then setup the token.
571 * Otherwise return without updating the status.
572 */
573 static void
574 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
575 {
576 if (user_info->lg_flags & SMB_ATF_ANON)
577 user_info->lg_status = smb_token_setup_anon(token);
578 }
579
580 /*
581 * Try both LM hash and NT hashes with user's password(s) to authenticate
582 * the user.
583 */
584 static uint32_t
585 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
586 smb_passwd_t *smbpw)
587 {
588 boolean_t ok;
589 uint32_t status = NT_STATUS_SUCCESS;
590
591 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
592 return (NT_STATUS_NO_SUCH_USER);
593
594 if (smbpw->pw_flags & SMB_PWF_DISABLE)
595 return (NT_STATUS_ACCOUNT_DISABLED);
596
597 if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) {
598 /*
599 * The SMB passwords have not been set.
600 * Return an error that suggests the
601 * password needs to be set.
602 */
603 return (NT_STATUS_PASSWORD_EXPIRED);
604 }
605
606 token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ);
607 if (token->tkn_ssnkey.val == NULL)
608 return (NT_STATUS_NO_MEMORY);
609 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
610
611 ok = smb_auth_validate(
612 smbpw,
613 user_info->lg_domain,
614 user_info->lg_username,
615 user_info->lg_challenge_key.val,
616 user_info->lg_challenge_key.len,
617 user_info->lg_nt_password.val,
618 user_info->lg_nt_password.len,
619 user_info->lg_lm_password.val,
620 user_info->lg_lm_password.len,
621 token->tkn_ssnkey.val);
622 if (ok)
623 return (NT_STATUS_SUCCESS);
624
625 free(token->tkn_ssnkey.val);
626 token->tkn_ssnkey.val = NULL;
627 token->tkn_ssnkey.len = 0;
628
629 status = NT_STATUS_WRONG_PASSWORD;
630 syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
631 user_info->lg_e_domain, user_info->lg_e_username,
632 xlate_nt_status(status));
633
634 return (status);
635 }
636
637 /*
638 * Setup an access token for the specified local user.
639 */
640 static uint32_t
641 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
642 {
643 idmap_stat stat;
644 smb_idmap_batch_t sib;
645 smb_idmap_t *umap, *gmap;
646 struct passwd pw;
647 struct passwd *pwp;
648 char pwbuf[1024];
649 char nbname[NETBIOS_NAME_SZ];
650
651 (void) smb_getnetbiosname(nbname, sizeof (nbname));
652 token->tkn_account_name = strdup(smbpw->pw_name);
653 token->tkn_domain_name = strdup(nbname);
654
655 if (token->tkn_account_name == NULL ||
656 token->tkn_domain_name == NULL)
657 return (NT_STATUS_NO_MEMORY);
658
659 getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf), &pwp);
660 if (!pwp)
661 return (NT_STATUS_NO_SUCH_USER);
662
663 /* Get the SID for user's uid & gid */
664 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
665 if (stat != IDMAP_SUCCESS)
666 return (NT_STATUS_INTERNAL_ERROR);
667
668 umap = &sib.sib_maps[0];
669 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
670 SMB_IDMAP_USER);
671
672 if (stat != IDMAP_SUCCESS) {
673 smb_idmap_batch_destroy(&sib);
674 return (NT_STATUS_INTERNAL_ERROR);
675 }
676
677 gmap = &sib.sib_maps[1];
678 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
679 SMB_IDMAP_GROUP);
680
681 if (stat != IDMAP_SUCCESS) {
682 smb_idmap_batch_destroy(&sib);
683 return (NT_STATUS_INTERNAL_ERROR);
684 }
685
686 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
687 return (NT_STATUS_INTERNAL_ERROR);
688
689 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
690 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
691
692 smb_idmap_batch_destroy(&sib);
693
694 if (token->tkn_user.i_sid == NULL ||
695 token->tkn_primary_grp.i_sid == NULL)
696 return (NT_STATUS_NO_MEMORY);
697
698 return (smb_token_setup_wingrps(token));
699 }
700
701 /*
702 * Setup access token for guest connections
703 */
704 static uint32_t
705 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
706 {
707 token->tkn_account_name = strdup(user_info->lg_e_username);
708
709 (void) rw_rdlock(&smb_logoninit_rwl);
710 token->tkn_domain_name = strdup(smb_guest.a_domain);
711 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
712 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
713 (void) rw_unlock(&smb_logoninit_rwl);
714 token->tkn_flags = SMB_ATF_GUEST;
715
716 if (token->tkn_account_name == NULL ||
717 token->tkn_domain_name == NULL ||
718 token->tkn_user.i_sid == NULL ||
719 token->tkn_primary_grp.i_sid == NULL)
720 return (NT_STATUS_NO_MEMORY);
721
722 return (smb_token_setup_wingrps(token));
723 }
724
725 /*
726 * Setup access token for anonymous connections
727 */
728 static uint32_t
729 smb_token_setup_anon(smb_token_t *token)
730 {
731 smb_sid_t *user_sid;
732
733 token->tkn_account_name = strdup("Anonymous");
734 token->tkn_domain_name = strdup("NT Authority");
735 user_sid = smb_wka_get_sid("Anonymous");
736 token->tkn_user.i_sid = smb_sid_dup(user_sid);
737 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
738 token->tkn_flags = SMB_ATF_ANON;
739
740 if (token->tkn_account_name == NULL ||
741 token->tkn_domain_name == NULL ||
742 token->tkn_user.i_sid == NULL ||
743 token->tkn_primary_grp.i_sid == NULL)
744 return (NT_STATUS_NO_MEMORY);
745
746 return (smb_token_setup_wingrps(token));
747 }
748
749 /*
750 * smb_token_user_sid
751 *
752 * Return a pointer to the user SID in the specified token. A null
753 * pointer indicates an error.
754 */
755 static smb_sid_t *
756 smb_token_user_sid(smb_token_t *token)
757 {
758 return ((token) ? token->tkn_user.i_sid : NULL);
759 }
760
761 /*
762 * smb_token_group_sid
763 *
764 * Return a pointer to the group SID as indicated by the iterator.
765 * Setting the iterator to 0 before calling this function will return
766 * the first group, which will always be the primary group. The
767 * iterator will be incremented before returning the SID so that this
768 * function can be used to cycle through the groups. The caller can
769 * adjust the iterator as required between calls to obtain any specific
770 * group.
771 *
772 * On success a pointer to the appropriate group SID will be returned.
773 * Otherwise a null pointer will be returned.
774 */
775 static smb_sid_t *
776 smb_token_group_sid(smb_token_t *token, int *iterator)
777 {
778 int index;
779
780 if (token == NULL || iterator == NULL)
781 return (NULL);
782
783 if (token->tkn_win_grps.i_ids == NULL)
784 return (NULL);
785
786 index = *iterator;
787
788 if (index < 0 || index >= token->tkn_win_grps.i_cnt)
789 return (NULL);
790
791 ++(*iterator);
792 return (token->tkn_win_grps.i_ids[index].i_sid);
793 }
794
795 /*
796 * smb_token_is_member
797 *
798 * This function will determine whether or not the specified SID is a
799 * member of a token. The user SID and all group SIDs are tested.
800 * Returns 1 if the SID is a member of the token. Otherwise returns 0.
801 */
802 static boolean_t
803 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
804 {
805 smb_sid_t *tsid;
806 int iterator = 0;
807
808 if (token == NULL || sid == NULL)
809 return (B_FALSE);
810
811 tsid = smb_token_user_sid(token);
812 while (tsid) {
813 if (smb_sid_cmp(tsid, sid))
814 return (B_TRUE);
815
816 tsid = smb_token_group_sid(token, &iterator);
817 }
818
819 return (B_FALSE);
820 }
821
822 /*
823 * smb_token_log
824 *
825 * Diagnostic routine to write the contents of a token to the log.
826 */
827 void
828 smb_token_log(smb_token_t *token)
829 {
830 smb_ids_t *w_grps;
831 smb_id_t *grp;
832 smb_posix_grps_t *x_grps;
833 char sidstr[SMB_SID_STRSZ];
834 int i;
835
836 if (token == NULL)
837 return;
838
839 syslog(LOG_DEBUG, "Token for %s\\%s",
840 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
841 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
842
843 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs);
844 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
845 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr,
846 token->tkn_user.i_id);
847
848 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
849 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)",
850 sidstr, token->tkn_owner.i_id);
851
852 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
853 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)",
854 sidstr, token->tkn_primary_grp.i_id);
855
856 w_grps = &token->tkn_win_grps;
857 if (w_grps->i_ids) {
858 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt);
859 grp = w_grps->i_ids;
860 for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
861 syslog(LOG_DEBUG,
862 " Grp[%d].Attr:%d", i, grp->i_attrs);
863 if (grp->i_sid != NULL) {
864 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
865 syslog(LOG_DEBUG,
866 " Grp[%d].Sid: %s (id=%u)", i, sidstr,
867 grp->i_id);
868 }
869 }
870 } else {
871 syslog(LOG_DEBUG, " No Windows groups");
872 }
873
874 x_grps = token->tkn_posix_grps;
875 if (x_grps) {
876 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps);
877 for (i = 0; i < x_grps->pg_ngrps; i++)
878 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]);
879 } else {
880 syslog(LOG_DEBUG, " No Solaris groups");
881 }
882
883 if (token->tkn_privileges)
884 smb_privset_log(token->tkn_privileges);
885 else
886 syslog(LOG_DEBUG, " No privileges");
887 }
888
889 /*
890 * Sets up local and well-known group membership for the given
891 * token. Two assumptions have been made here:
892 *
893 * a) token already contains a valid user SID so that group
894 * memberships can be established
895 *
896 * b) token belongs to a local or anonymous user
897 */
898 static uint32_t
899 smb_token_setup_wingrps(smb_token_t *token)
900 {
901 smb_ids_t tkn_grps;
902 uint32_t status;
903
904
905 /*
906 * We always want the user's primary group in the list
907 * of groups.
908 */
909 tkn_grps.i_cnt = 1;
910 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
911 return (NT_STATUS_NO_MEMORY);
912
913 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
914 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
915 if (tkn_grps.i_ids->i_sid == NULL) {
916 smb_ids_free(&tkn_grps);
917 return (NT_STATUS_NO_MEMORY);
918 }
919
920 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
921 if (status != NT_STATUS_SUCCESS) {
922 smb_ids_free(&tkn_grps);
923 return (status);
924 }
925
926 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
927 if (status != NT_STATUS_SUCCESS) {
928 smb_ids_free(&tkn_grps);
929 return (status);
930 }
931
932 token->tkn_win_grps = tkn_grps;
933 return (status);
934 }
935
936 /*
937 * Returns the guest account name in the provided buffer.
938 *
939 * By default the name would be "guest" unless there's
940 * a idmap name-based rule which maps the guest to a local
941 * Solaris user in which case the name of that user is
942 * returned.
943 */
944 static void
945 smb_guest_account(char *guest, size_t buflen)
946 {
947 idmap_stat stat;
948 uid_t guest_uid;
949 struct passwd pw;
950 struct passwd *pwp;
951 char pwbuf[1024];
952 int idtype;
953
954 /* default Guest account name */
955 (void) rw_rdlock(&smb_logoninit_rwl);
956 (void) strlcpy(guest, smb_guest.a_name, buflen);
957
958 idtype = SMB_IDMAP_USER;
959 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
960 (void) rw_unlock(&smb_logoninit_rwl);
961
962 if (stat != IDMAP_SUCCESS)
963 return;
964
965 /* If Ephemeral ID return the default name */
966 if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
967 return;
968
969 getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf), &pwp);
970 if (!pwp)
971 return;
972
973 (void) strlcpy(guest, pw.pw_name, buflen);
974 }
Unleashed OS