4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2016 by Delphix. All rights reserved.
24 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
36 #include <smbsrv/libsmb.h>
37 #include <smbsrv/libmlsvc.h>
39 #include <smbsrv/smbinfo.h>
40 #include <smbsrv/smb_token.h>
43 static smb_account_t smb_guest
;
44 static smb_account_t smb_domusers
;
45 static rwlock_t smb_logoninit_rwl
;
47 typedef void (*smb_logonop_t
)(smb_logon_t
*, smb_token_t
*);
49 static void smb_logon_local(smb_logon_t
*, smb_token_t
*);
50 static void smb_logon_guest(smb_logon_t
*, smb_token_t
*);
51 static void smb_logon_anon(smb_logon_t
*, smb_token_t
*);
53 static uint32_t smb_token_auth_local(smb_logon_t
*, smb_token_t
*,
56 static uint32_t smb_token_setup_local(smb_passwd_t
*, smb_token_t
*);
57 static uint32_t smb_token_setup_guest(smb_logon_t
*, smb_token_t
*);
58 static uint32_t smb_token_setup_anon(smb_token_t
*token
);
60 static boolean_t
smb_token_is_member(smb_token_t
*, smb_sid_t
*);
61 static uint32_t smb_token_setup_wingrps(smb_token_t
*);
62 static smb_posix_grps_t
*smb_token_create_pxgrps(uid_t
);
64 static void smb_guest_account(char *, size_t);
66 /* Consolidation private function from Network Repository */
67 extern int _getgroupsbymember(const char *, gid_t
[], int, int);
70 smb_token_idmap(smb_token_t
*token
, smb_idmap_batch_t
*sib
)
78 return (IDMAP_ERR_ARG
);
82 if (token
->tkn_flags
& SMB_ATF_ANON
) {
83 token
->tkn_user
.i_id
= UID_NOBODY
;
84 token
->tkn_owner
.i_id
= UID_NOBODY
;
87 id
= &token
->tkn_user
;
88 sim
->sim_id
= &id
->i_id
;
89 stat
= smb_idmap_batch_getid(sib
->sib_idmaph
, sim
++,
90 id
->i_sid
, SMB_IDMAP_USER
);
92 if (stat
!= IDMAP_SUCCESS
)
96 id
= &token
->tkn_owner
;
97 sim
->sim_id
= &id
->i_id
;
98 stat
= smb_idmap_batch_getid(sib
->sib_idmaph
, sim
++,
99 id
->i_sid
, SMB_IDMAP_USER
);
101 if (stat
!= IDMAP_SUCCESS
)
105 /* Primary Group SID */
106 id
= &token
->tkn_primary_grp
;
107 sim
->sim_id
= &id
->i_id
;
108 stat
= smb_idmap_batch_getid(sib
->sib_idmaph
, sim
++, id
->i_sid
,
111 if (stat
!= IDMAP_SUCCESS
)
114 /* Other Windows Group SIDs */
115 for (i
= 0; i
< token
->tkn_win_grps
.i_cnt
; i
++, sim
++) {
116 id
= &token
->tkn_win_grps
.i_ids
[i
];
117 sim
->sim_id
= &id
->i_id
;
118 stat
= smb_idmap_batch_getid(sib
->sib_idmaph
, sim
,
119 id
->i_sid
, SMB_IDMAP_GROUP
);
121 if (stat
!= IDMAP_SUCCESS
)
131 * This will map all the SIDs of the access token to UIDs/GIDs.
133 * Returns 0 upon success. Otherwise, returns -1.
136 smb_token_sids2ids(smb_token_t
*token
)
140 smb_idmap_batch_t sib
;
143 * Number of idmap lookups: user SID, owner SID, primary group SID,
144 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
146 if (token
->tkn_flags
& SMB_ATF_ANON
)
147 nmaps
= token
->tkn_win_grps
.i_cnt
+ 1;
149 nmaps
= token
->tkn_win_grps
.i_cnt
+ 3;
151 stat
= smb_idmap_batch_create(&sib
, nmaps
, SMB_IDMAP_SID2ID
);
152 if (stat
!= IDMAP_SUCCESS
)
155 stat
= smb_token_idmap(token
, &sib
);
156 if (stat
!= IDMAP_SUCCESS
) {
157 smb_idmap_batch_destroy(&sib
);
161 stat
= smb_idmap_batch_getmappings(&sib
);
162 smb_idmap_check("smb_idmap_batch_getmappings", stat
);
163 smb_idmap_batch_destroy(&sib
);
165 return (stat
== IDMAP_SUCCESS
? 0 : -1);
169 * smb_token_create_pxgrps
171 * Setup the POSIX group membership of the access token if the given UID is
172 * a POSIX UID (non-ephemeral). Both the user's primary group and
173 * supplementary groups will be added to the POSIX group array of the access
176 static smb_posix_grps_t
*
177 smb_token_create_pxgrps(uid_t uid
)
180 smb_posix_grps_t
*pgrps
;
181 int ngroups_max
, num
;
184 if ((ngroups_max
= sysconf(_SC_NGROUPS_MAX
)) < 0) {
185 syslog(LOG_ERR
, "smb_logon: failed to get _SC_NGROUPS_MAX");
191 pgrps
= malloc(sizeof (smb_posix_grps_t
));
199 if (pwd
->pw_name
== NULL
) {
200 pgrps
= malloc(sizeof (smb_posix_grps_t
));
205 pgrps
->pg_grps
[0] = pwd
->pw_gid
;
209 gids
= (gid_t
*)malloc(ngroups_max
* sizeof (gid_t
));
213 bzero(gids
, ngroups_max
* sizeof (gid_t
));
215 gids
[0] = pwd
->pw_gid
;
218 * Setup the groups starting at index 1 (the last arg)
221 num
= _getgroupsbymember(pwd
->pw_name
, gids
, ngroups_max
, 1);
224 syslog(LOG_ERR
, "smb_logon: unable "
225 "to get user's supplementary groups");
229 pgrps
= (smb_posix_grps_t
*)malloc(SMB_POSIX_GRPS_SIZE(num
));
231 pgrps
->pg_ngrps
= num
;
232 bcopy(gids
, pgrps
->pg_grps
, num
* sizeof (gid_t
));
242 * Release all of the memory associated with a token structure. Ensure
243 * that the token has been unlinked before calling.
246 smb_token_destroy(smb_token_t
*token
)
249 smb_sid_free(token
->tkn_user
.i_sid
);
250 smb_sid_free(token
->tkn_owner
.i_sid
);
251 smb_sid_free(token
->tkn_primary_grp
.i_sid
);
252 smb_ids_free(&token
->tkn_win_grps
);
253 smb_privset_free(token
->tkn_privileges
);
254 free(token
->tkn_posix_grps
);
255 free(token
->tkn_account_name
);
256 free(token
->tkn_domain_name
);
257 free(token
->tkn_ssnkey
.val
);
258 bzero(token
, sizeof (smb_token_t
));
264 * Token owner should be set to local Administrators group
266 * 1. The logged on user is a member of Domain Admins group
267 * 2. They are a member of local Administrators group
270 smb_token_set_owner(smb_token_t
*token
)
272 #ifdef SMB_SUPPORT_GROUP_OWNER
273 smb_sid_t
*owner_sid
;
275 if (token
->tkn_flags
& SMB_ATF_ADMIN
) {
276 owner_sid
= smb_wka_get_sid("Administrators");
279 owner_sid
= token
->tkn_user
->i_sid
;
282 token
->tkn_owner
.i_sid
= smb_sid_dup(owner_sid
);
284 token
->tkn_owner
.i_sid
= smb_sid_dup(token
->tkn_user
.i_sid
);
287 static smb_privset_t
*
288 smb_token_create_privs(smb_token_t
*token
)
290 smb_privset_t
*privs
;
295 privs
= smb_privset_new();
299 if (smb_lgrp_iteropen(&gi
) != SMB_LGRP_SUCCESS
) {
300 smb_privset_free(privs
);
304 while (smb_lgrp_iterate(&gi
, &grp
) == SMB_LGRP_SUCCESS
) {
305 if (smb_lgrp_is_member(&grp
, token
->tkn_user
.i_sid
))
306 smb_privset_merge(privs
, grp
.sg_privs
);
309 smb_lgrp_iterclose(&gi
);
311 if (token
->tkn_flags
& SMB_ATF_ADMIN
) {
312 char admgrp
[] = "Administrators";
314 rc
= smb_lgrp_getbyname(admgrp
, &grp
);
315 if (rc
== SMB_LGRP_SUCCESS
) {
316 smb_privset_merge(privs
, grp
.sg_privs
);
321 * This privilege is required to view/edit SACL
323 smb_privset_enable(privs
, SE_SECURITY_LUID
);
330 smb_token_set_flags(smb_token_t
*token
)
332 if (smb_token_is_member(token
, smb_wka_get_sid("Administrators")))
333 token
->tkn_flags
|= SMB_ATF_ADMIN
;
335 if (smb_token_is_member(token
, smb_wka_get_sid("Power Users")))
336 token
->tkn_flags
|= SMB_ATF_POWERUSER
;
338 if (smb_token_is_member(token
, smb_wka_get_sid("Backup Operators")))
339 token
->tkn_flags
|= SMB_ATF_BACKUPOP
;
343 * Common token setup for both local and domain users.
344 * This function must be called after the initial setup
347 * Note that the order of calls in this function are important.
349 * Returns B_TRUE for success.
352 smb_token_setup_common(smb_token_t
*token
)
354 smb_token_set_flags(token
);
356 smb_token_set_owner(token
);
357 if (token
->tkn_owner
.i_sid
== NULL
)
361 token
->tkn_privileges
= smb_token_create_privs(token
);
362 if (token
->tkn_privileges
== NULL
)
365 if (smb_token_sids2ids(token
) != 0) {
366 syslog(LOG_ERR
, "%s\\%s: idmap failed",
367 token
->tkn_domain_name
, token
->tkn_account_name
);
372 token
->tkn_posix_grps
= smb_token_create_pxgrps(token
->tkn_user
.i_id
);
374 return (smb_token_valid(token
));
382 (void) rw_wrlock(&smb_logoninit_rwl
);
383 status
= smb_sam_lookup_name(NULL
, "guest", SidTypeUser
, &smb_guest
);
384 if (status
!= NT_STATUS_SUCCESS
) {
385 (void) rw_unlock(&smb_logoninit_rwl
);
389 status
= smb_sam_lookup_name(NULL
, "domain users", SidTypeGroup
,
391 if (status
!= NT_STATUS_SUCCESS
) {
392 smb_account_free(&smb_guest
);
393 bzero(&smb_guest
, sizeof (smb_account_t
));
394 (void) rw_unlock(&smb_logoninit_rwl
);
398 (void) rw_unlock(&smb_logoninit_rwl
);
405 (void) rw_wrlock(&smb_logoninit_rwl
);
406 smb_account_free(&smb_guest
);
407 smb_account_free(&smb_domusers
);
408 bzero(&smb_guest
, sizeof (smb_account_t
));
409 bzero(&smb_domusers
, sizeof (smb_account_t
));
410 (void) rw_unlock(&smb_logoninit_rwl
);
414 * Perform user authentication.
416 * The dispatched functions must only update the user_info status if they
417 * attempt to authenticate the user.
419 * On success, a pointer to a new access token is returned.
420 * On failure, NULL return and status in user_info->lg_status
423 smb_logon(smb_logon_t
*user_info
)
425 static smb_logonop_t ops
[] = {
431 smb_token_t
*token
= NULL
;
433 int n_op
= (sizeof (ops
) / sizeof (ops
[0]));
436 user_info
->lg_secmode
= smb_config_get_secmode();
438 if (smb_domain_lookup_name(user_info
->lg_e_domain
, &domain
))
439 user_info
->lg_domain_type
= domain
.di_type
;
441 user_info
->lg_domain_type
= SMB_DOMAIN_NULL
;
443 if ((token
= calloc(1, sizeof (smb_token_t
))) == NULL
) {
444 syslog(LOG_ERR
, "logon[%s\\%s]: %m",
445 user_info
->lg_e_domain
, user_info
->lg_e_username
);
450 * If any logonop function takes significant action
451 * (logon or authoratative failure) it will change
452 * this status field to something else.
454 user_info
->lg_status
= NT_STATUS_NO_SUCH_USER
;
455 for (i
= 0; i
< n_op
; ++i
) {
456 (*ops
[i
])(user_info
, token
);
458 if (user_info
->lg_status
== NT_STATUS_SUCCESS
)
462 if (user_info
->lg_status
== NT_STATUS_SUCCESS
) {
463 if (smb_token_setup_common(token
))
464 return (token
); /* success */
466 * (else) smb_token_setup_common failed, which usually
467 * means smb_token_sids2ids() failed to map some SIDs to
468 * Unix IDs. This indicates an idmap config problem.
470 user_info
->lg_status
= NT_STATUS_INTERNAL_ERROR
;
473 smb_token_destroy(token
);
476 * Any unknown user or bad password should result in
477 * NT_STATUS_LOGON_FAILURE (so we don't give hints).
479 if (user_info
->lg_status
== NT_STATUS_NO_SUCH_USER
||
480 user_info
->lg_status
== NT_STATUS_WRONG_PASSWORD
)
481 user_info
->lg_status
= NT_STATUS_LOGON_FAILURE
;
487 * If the user has an entry in the local database, attempt local authentication.
489 * In domain mode, we try to exclude domain accounts, which we do by only
490 * accepting local or null (blank) domain names here. Some clients (Mac OS)
491 * don't always send the domain name.
493 * If we are not going to attempt authentication, this function must return
494 * without updating the status.
497 smb_logon_local(smb_logon_t
*user_info
, smb_token_t
*token
)
499 char guest
[SMB_USERNAME_MAXLEN
];
503 if (user_info
->lg_secmode
== SMB_SECMODE_DOMAIN
) {
504 if ((user_info
->lg_domain_type
!= SMB_DOMAIN_LOCAL
) &&
505 (user_info
->lg_domain_type
!= SMB_DOMAIN_NULL
))
510 * If the requested account name is "guest" (or whatever
511 * our guest account is named) then don't handle it here.
512 * Let this request fall through to smb_logon_guest().
514 smb_guest_account(guest
, SMB_USERNAME_MAXLEN
);
515 if (smb_strcasecmp(guest
, user_info
->lg_e_username
, 0) == 0)
518 status
= smb_token_auth_local(user_info
, token
, &smbpw
);
519 if (status
== NT_STATUS_SUCCESS
)
520 status
= smb_token_setup_local(&smbpw
, token
);
522 user_info
->lg_status
= status
;
526 * Guest authentication. This may be a local guest account or the guest
527 * account may be mapped to a local account. These accounts are regular
528 * accounts with normal password protection.
530 * Only proceed with a guest logon if previous logon options have resulted
533 * If we are not going to attempt authentication, this function must return
534 * without updating the status.
537 smb_logon_guest(smb_logon_t
*user_info
, smb_token_t
*token
)
539 char guest
[SMB_USERNAME_MAXLEN
];
543 if (user_info
->lg_status
!= NT_STATUS_NO_SUCH_USER
)
546 /* Get the name of the guest account. */
547 smb_guest_account(guest
, SMB_USERNAME_MAXLEN
);
549 /* Does the guest account exist? */
550 if (smb_pwd_getpwnam(guest
, &smbpw
) == NULL
)
553 /* Is it enabled? (empty p/w is OK) */
554 if (smbpw
.pw_flags
& SMB_PWF_DISABLE
)
558 * OK, give the client a guest logon. Note that on entry,
559 * lg_e_username is typically something other than "guest"
560 * so we need to set the effective username when createing
563 temp
= user_info
->lg_e_username
;
564 user_info
->lg_e_username
= guest
;
565 user_info
->lg_status
= smb_token_setup_guest(user_info
, token
);
566 user_info
->lg_e_username
= temp
;
570 * If user_info represents an anonymous user then setup the token.
571 * Otherwise return without updating the status.
574 smb_logon_anon(smb_logon_t
*user_info
, smb_token_t
*token
)
576 if (user_info
->lg_flags
& SMB_ATF_ANON
)
577 user_info
->lg_status
= smb_token_setup_anon(token
);
581 * Try both LM hash and NT hashes with user's password(s) to authenticate
585 smb_token_auth_local(smb_logon_t
*user_info
, smb_token_t
*token
,
589 uint32_t status
= NT_STATUS_SUCCESS
;
591 if (smb_pwd_getpwnam(user_info
->lg_e_username
, smbpw
) == NULL
)
592 return (NT_STATUS_NO_SUCH_USER
);
594 if (smbpw
->pw_flags
& SMB_PWF_DISABLE
)
595 return (NT_STATUS_ACCOUNT_DISABLED
);
597 if ((smbpw
->pw_flags
& (SMB_PWF_LM
| SMB_PWF_NT
)) == 0) {
599 * The SMB passwords have not been set.
600 * Return an error that suggests the
601 * password needs to be set.
603 return (NT_STATUS_PASSWORD_EXPIRED
);
606 token
->tkn_ssnkey
.val
= malloc(SMBAUTH_SESSION_KEY_SZ
);
607 if (token
->tkn_ssnkey
.val
== NULL
)
608 return (NT_STATUS_NO_MEMORY
);
609 token
->tkn_ssnkey
.len
= SMBAUTH_SESSION_KEY_SZ
;
611 ok
= smb_auth_validate(
613 user_info
->lg_domain
,
614 user_info
->lg_username
,
615 user_info
->lg_challenge_key
.val
,
616 user_info
->lg_challenge_key
.len
,
617 user_info
->lg_nt_password
.val
,
618 user_info
->lg_nt_password
.len
,
619 user_info
->lg_lm_password
.val
,
620 user_info
->lg_lm_password
.len
,
621 token
->tkn_ssnkey
.val
);
623 return (NT_STATUS_SUCCESS
);
625 free(token
->tkn_ssnkey
.val
);
626 token
->tkn_ssnkey
.val
= NULL
;
627 token
->tkn_ssnkey
.len
= 0;
629 status
= NT_STATUS_WRONG_PASSWORD
;
630 syslog(LOG_NOTICE
, "logon[%s\\%s]: %s",
631 user_info
->lg_e_domain
, user_info
->lg_e_username
,
632 xlate_nt_status(status
));
638 * Setup an access token for the specified local user.
641 smb_token_setup_local(smb_passwd_t
*smbpw
, smb_token_t
*token
)
644 smb_idmap_batch_t sib
;
645 smb_idmap_t
*umap
, *gmap
;
649 char nbname
[NETBIOS_NAME_SZ
];
651 (void) smb_getnetbiosname(nbname
, sizeof (nbname
));
652 token
->tkn_account_name
= strdup(smbpw
->pw_name
);
653 token
->tkn_domain_name
= strdup(nbname
);
655 if (token
->tkn_account_name
== NULL
||
656 token
->tkn_domain_name
== NULL
)
657 return (NT_STATUS_NO_MEMORY
);
659 getpwuid_r(smbpw
->pw_uid
, &pw
, pwbuf
, sizeof (pwbuf
), &pwp
);
661 return (NT_STATUS_NO_SUCH_USER
);
663 /* Get the SID for user's uid & gid */
664 stat
= smb_idmap_batch_create(&sib
, 2, SMB_IDMAP_ID2SID
);
665 if (stat
!= IDMAP_SUCCESS
)
666 return (NT_STATUS_INTERNAL_ERROR
);
668 umap
= &sib
.sib_maps
[0];
669 stat
= smb_idmap_batch_getsid(sib
.sib_idmaph
, umap
, pw
.pw_uid
,
672 if (stat
!= IDMAP_SUCCESS
) {
673 smb_idmap_batch_destroy(&sib
);
674 return (NT_STATUS_INTERNAL_ERROR
);
677 gmap
= &sib
.sib_maps
[1];
678 stat
= smb_idmap_batch_getsid(sib
.sib_idmaph
, gmap
, pw
.pw_gid
,
681 if (stat
!= IDMAP_SUCCESS
) {
682 smb_idmap_batch_destroy(&sib
);
683 return (NT_STATUS_INTERNAL_ERROR
);
686 if (smb_idmap_batch_getmappings(&sib
) != IDMAP_SUCCESS
)
687 return (NT_STATUS_INTERNAL_ERROR
);
689 token
->tkn_user
.i_sid
= smb_sid_dup(umap
->sim_sid
);
690 token
->tkn_primary_grp
.i_sid
= smb_sid_dup(gmap
->sim_sid
);
692 smb_idmap_batch_destroy(&sib
);
694 if (token
->tkn_user
.i_sid
== NULL
||
695 token
->tkn_primary_grp
.i_sid
== NULL
)
696 return (NT_STATUS_NO_MEMORY
);
698 return (smb_token_setup_wingrps(token
));
702 * Setup access token for guest connections
705 smb_token_setup_guest(smb_logon_t
*user_info
, smb_token_t
*token
)
707 token
->tkn_account_name
= strdup(user_info
->lg_e_username
);
709 (void) rw_rdlock(&smb_logoninit_rwl
);
710 token
->tkn_domain_name
= strdup(smb_guest
.a_domain
);
711 token
->tkn_user
.i_sid
= smb_sid_dup(smb_guest
.a_sid
);
712 token
->tkn_primary_grp
.i_sid
= smb_sid_dup(smb_domusers
.a_sid
);
713 (void) rw_unlock(&smb_logoninit_rwl
);
714 token
->tkn_flags
= SMB_ATF_GUEST
;
716 if (token
->tkn_account_name
== NULL
||
717 token
->tkn_domain_name
== NULL
||
718 token
->tkn_user
.i_sid
== NULL
||
719 token
->tkn_primary_grp
.i_sid
== NULL
)
720 return (NT_STATUS_NO_MEMORY
);
722 return (smb_token_setup_wingrps(token
));
726 * Setup access token for anonymous connections
729 smb_token_setup_anon(smb_token_t
*token
)
733 token
->tkn_account_name
= strdup("Anonymous");
734 token
->tkn_domain_name
= strdup("NT Authority");
735 user_sid
= smb_wka_get_sid("Anonymous");
736 token
->tkn_user
.i_sid
= smb_sid_dup(user_sid
);
737 token
->tkn_primary_grp
.i_sid
= smb_sid_dup(user_sid
);
738 token
->tkn_flags
= SMB_ATF_ANON
;
740 if (token
->tkn_account_name
== NULL
||
741 token
->tkn_domain_name
== NULL
||
742 token
->tkn_user
.i_sid
== NULL
||
743 token
->tkn_primary_grp
.i_sid
== NULL
)
744 return (NT_STATUS_NO_MEMORY
);
746 return (smb_token_setup_wingrps(token
));
752 * Return a pointer to the user SID in the specified token. A null
753 * pointer indicates an error.
756 smb_token_user_sid(smb_token_t
*token
)
758 return ((token
) ? token
->tkn_user
.i_sid
: NULL
);
762 * smb_token_group_sid
764 * Return a pointer to the group SID as indicated by the iterator.
765 * Setting the iterator to 0 before calling this function will return
766 * the first group, which will always be the primary group. The
767 * iterator will be incremented before returning the SID so that this
768 * function can be used to cycle through the groups. The caller can
769 * adjust the iterator as required between calls to obtain any specific
772 * On success a pointer to the appropriate group SID will be returned.
773 * Otherwise a null pointer will be returned.
776 smb_token_group_sid(smb_token_t
*token
, int *iterator
)
780 if (token
== NULL
|| iterator
== NULL
)
783 if (token
->tkn_win_grps
.i_ids
== NULL
)
788 if (index
< 0 || index
>= token
->tkn_win_grps
.i_cnt
)
792 return (token
->tkn_win_grps
.i_ids
[index
].i_sid
);
796 * smb_token_is_member
798 * This function will determine whether or not the specified SID is a
799 * member of a token. The user SID and all group SIDs are tested.
800 * Returns 1 if the SID is a member of the token. Otherwise returns 0.
803 smb_token_is_member(smb_token_t
*token
, smb_sid_t
*sid
)
808 if (token
== NULL
|| sid
== NULL
)
811 tsid
= smb_token_user_sid(token
);
813 if (smb_sid_cmp(tsid
, sid
))
816 tsid
= smb_token_group_sid(token
, &iterator
);
825 * Diagnostic routine to write the contents of a token to the log.
828 smb_token_log(smb_token_t
*token
)
832 smb_posix_grps_t
*x_grps
;
833 char sidstr
[SMB_SID_STRSZ
];
839 syslog(LOG_DEBUG
, "Token for %s\\%s",
840 (token
->tkn_domain_name
) ? token
->tkn_domain_name
: "-NULL-",
841 (token
->tkn_account_name
) ? token
->tkn_account_name
: "-NULL-");
843 syslog(LOG_DEBUG
, " User->Attr: %d", token
->tkn_user
.i_attrs
);
844 smb_sid_tostr((smb_sid_t
*)token
->tkn_user
.i_sid
, sidstr
);
845 syslog(LOG_DEBUG
, " User->Sid: %s (id=%u)", sidstr
,
846 token
->tkn_user
.i_id
);
848 smb_sid_tostr((smb_sid_t
*)token
->tkn_owner
.i_sid
, sidstr
);
849 syslog(LOG_DEBUG
, " Ownr->Sid: %s (id=%u)",
850 sidstr
, token
->tkn_owner
.i_id
);
852 smb_sid_tostr((smb_sid_t
*)token
->tkn_primary_grp
.i_sid
, sidstr
);
853 syslog(LOG_DEBUG
, " PGrp->Sid: %s (id=%u)",
854 sidstr
, token
->tkn_primary_grp
.i_id
);
856 w_grps
= &token
->tkn_win_grps
;
858 syslog(LOG_DEBUG
, " Windows groups: %d", w_grps
->i_cnt
);
860 for (i
= 0; i
< w_grps
->i_cnt
; ++i
, grp
++) {
862 " Grp[%d].Attr:%d", i
, grp
->i_attrs
);
863 if (grp
->i_sid
!= NULL
) {
864 smb_sid_tostr((smb_sid_t
*)grp
->i_sid
, sidstr
);
866 " Grp[%d].Sid: %s (id=%u)", i
, sidstr
,
871 syslog(LOG_DEBUG
, " No Windows groups");
874 x_grps
= token
->tkn_posix_grps
;
876 syslog(LOG_DEBUG
, " Solaris groups: %d", x_grps
->pg_ngrps
);
877 for (i
= 0; i
< x_grps
->pg_ngrps
; i
++)
878 syslog(LOG_DEBUG
, " %u", x_grps
->pg_grps
[i
]);
880 syslog(LOG_DEBUG
, " No Solaris groups");
883 if (token
->tkn_privileges
)
884 smb_privset_log(token
->tkn_privileges
);
886 syslog(LOG_DEBUG
, " No privileges");
890 * Sets up local and well-known group membership for the given
891 * token. Two assumptions have been made here:
893 * a) token already contains a valid user SID so that group
894 * memberships can be established
896 * b) token belongs to a local or anonymous user
899 smb_token_setup_wingrps(smb_token_t
*token
)
906 * We always want the user's primary group in the list
910 if ((tkn_grps
.i_ids
= malloc(sizeof (smb_id_t
))) == NULL
)
911 return (NT_STATUS_NO_MEMORY
);
913 tkn_grps
.i_ids
->i_sid
= smb_sid_dup(token
->tkn_primary_grp
.i_sid
);
914 tkn_grps
.i_ids
->i_attrs
= token
->tkn_primary_grp
.i_attrs
;
915 if (tkn_grps
.i_ids
->i_sid
== NULL
) {
916 smb_ids_free(&tkn_grps
);
917 return (NT_STATUS_NO_MEMORY
);
920 status
= smb_sam_usr_groups(token
->tkn_user
.i_sid
, &tkn_grps
);
921 if (status
!= NT_STATUS_SUCCESS
) {
922 smb_ids_free(&tkn_grps
);
926 status
= smb_wka_token_groups(token
->tkn_flags
, &tkn_grps
);
927 if (status
!= NT_STATUS_SUCCESS
) {
928 smb_ids_free(&tkn_grps
);
932 token
->tkn_win_grps
= tkn_grps
;
937 * Returns the guest account name in the provided buffer.
939 * By default the name would be "guest" unless there's
940 * a idmap name-based rule which maps the guest to a local
941 * Solaris user in which case the name of that user is
945 smb_guest_account(char *guest
, size_t buflen
)
954 /* default Guest account name */
955 (void) rw_rdlock(&smb_logoninit_rwl
);
956 (void) strlcpy(guest
, smb_guest
.a_name
, buflen
);
958 idtype
= SMB_IDMAP_USER
;
959 stat
= smb_idmap_getid(smb_guest
.a_sid
, &guest_uid
, &idtype
);
960 (void) rw_unlock(&smb_logoninit_rwl
);
962 if (stat
!= IDMAP_SUCCESS
)
965 /* If Ephemeral ID return the default name */
966 if (IDMAP_ID_IS_EPHEMERAL(guest_uid
))
969 getpwuid_r(guest_uid
, &pw
, pwbuf
, sizeof (pwbuf
), &pwp
);
973 (void) strlcpy(guest
, pw
.pw_name
, buflen
);