1b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
2b89a8333Snatalie li - Sun Microsystems - Irvine United States * CDDL HEADER START
3b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4b89a8333Snatalie li - Sun Microsystems - Irvine United States * The contents of this file are subject to the terms of the
5b89a8333Snatalie li - Sun Microsystems - Irvine United States * Common Development and Distribution License (the "License").
6b89a8333Snatalie li - Sun Microsystems - Irvine United States * You may not use this file except in compliance with the License.
7b89a8333Snatalie li - Sun Microsystems - Irvine United States *
8b89a8333Snatalie li - Sun Microsystems - Irvine United States * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9b89a8333Snatalie li - Sun Microsystems - Irvine United States * or http://www.opensolaris.org/os/licensing.
10b89a8333Snatalie li - Sun Microsystems - Irvine United States * See the License for the specific language governing permissions
11b89a8333Snatalie li - Sun Microsystems - Irvine United States * and limitations under the License.
12b89a8333Snatalie li - Sun Microsystems - Irvine United States *
13b89a8333Snatalie li - Sun Microsystems - Irvine United States * When distributing Covered Code, include this CDDL HEADER in each
14b89a8333Snatalie li - Sun Microsystems - Irvine United States * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15b89a8333Snatalie li - Sun Microsystems - Irvine United States * If applicable, add the following below this CDDL HEADER, with the
16b89a8333Snatalie li - Sun Microsystems - Irvine United States * fields enclosed by brackets "[]" replaced with your own identifying
17b89a8333Snatalie li - Sun Microsystems - Irvine United States * information: Portions Copyright [yyyy] [name of copyright owner]
18b89a8333Snatalie li - Sun Microsystems - Irvine United States *
19b89a8333Snatalie li - Sun Microsystems - Irvine United States * CDDL HEADER END
20b89a8333Snatalie li - Sun Microsystems - Irvine United States */
21b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
221fdeec65Sjoyce mcintosh * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
2348bbca81SDaniel Hoffman * Copyright (c) 2016 by Delphix. All rights reserved.
24a73d9d5eSGordon Ross * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
25*f920d1d1SGordon Ross * Copyright 2023 RackTop Systems, Inc.
26b89a8333Snatalie li - Sun Microsystems - Irvine United States */
27b89a8333Snatalie li - Sun Microsystems - Irvine United States
28b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <unistd.h>
29b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <strings.h>
30b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <pwd.h>
31b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <grp.h>
32b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <time.h>
33b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <syslog.h>
34b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <assert.h>
3529bd2886SAlan Wright #include <synch.h>
36b89a8333Snatalie li - Sun Microsystems - Irvine United States
37b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/libsmb.h>
38b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/libmlsvc.h>
39b89a8333Snatalie li - Sun Microsystems - Irvine United States
40b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/smbinfo.h>
41b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/smb_token.h>
428d7e4166Sjose borrego #include <lsalib.h>
43b89a8333Snatalie li - Sun Microsystems - Irvine United States
4429bd2886SAlan Wright static smb_account_t smb_guest;
4529bd2886SAlan Wright static smb_account_t smb_domusers;
4629bd2886SAlan Wright static rwlock_t smb_logoninit_rwl;
4729bd2886SAlan Wright
489fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
49b89a8333Snatalie li - Sun Microsystems - Irvine United States
509fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void smb_logon_local(smb_logon_t *, smb_token_t *);
519fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void smb_logon_guest(smb_logon_t *, smb_token_t *);
529fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void smb_logon_anon(smb_logon_t *, smb_token_t *);
539fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
549fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
5529bd2886SAlan Wright smb_passwd_t *);
5629bd2886SAlan Wright
577f667e74Sjose borrego static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
589fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
597f667e74Sjose borrego static uint32_t smb_token_setup_anon(smb_token_t *token);
60b89a8333Snatalie li - Sun Microsystems - Irvine United States
617f667e74Sjose borrego static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
627f667e74Sjose borrego static uint32_t smb_token_setup_wingrps(smb_token_t *);
637f667e74Sjose borrego static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
64b89a8333Snatalie li - Sun Microsystems - Irvine United States
6529bd2886SAlan Wright static void smb_guest_account(char *, size_t);
6629bd2886SAlan Wright
67b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Consolidation private function from Network Repository */
68b89a8333Snatalie li - Sun Microsystems - Irvine United States extern int _getgroupsbymember(const char *, gid_t[], int, int);
69b89a8333Snatalie li - Sun Microsystems - Irvine United States
70b89a8333Snatalie li - Sun Microsystems - Irvine United States static idmap_stat
smb_token_idmap(smb_token_t * token,smb_idmap_batch_t * sib)71b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
72b89a8333Snatalie li - Sun Microsystems - Irvine United States {
73b89a8333Snatalie li - Sun Microsystems - Irvine United States idmap_stat stat;
74b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_t *sim;
75b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_id_t *id;
76b89a8333Snatalie li - Sun Microsystems - Irvine United States int i;
77b89a8333Snatalie li - Sun Microsystems - Irvine United States
78b89a8333Snatalie li - Sun Microsystems - Irvine United States if (!token || !sib)
79b89a8333Snatalie li - Sun Microsystems - Irvine United States return (IDMAP_ERR_ARG);
80b89a8333Snatalie li - Sun Microsystems - Irvine United States
81b89a8333Snatalie li - Sun Microsystems - Irvine United States sim = sib->sib_maps;
82b89a8333Snatalie li - Sun Microsystems - Irvine United States
83b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token->tkn_flags & SMB_ATF_ANON) {
847f667e74Sjose borrego token->tkn_user.i_id = UID_NOBODY;
857f667e74Sjose borrego token->tkn_owner.i_id = UID_NOBODY;
86b89a8333Snatalie li - Sun Microsystems - Irvine United States } else {
87b89a8333Snatalie li - Sun Microsystems - Irvine United States /* User SID */
887f667e74Sjose borrego id = &token->tkn_user;
89b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
90b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
917f667e74Sjose borrego id->i_sid, SMB_IDMAP_USER);
92b89a8333Snatalie li - Sun Microsystems - Irvine United States
93b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
94b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
95b89a8333Snatalie li - Sun Microsystems - Irvine United States
96b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Owner SID */
977f667e74Sjose borrego id = &token->tkn_owner;
98b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
99b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
1007f667e74Sjose borrego id->i_sid, SMB_IDMAP_USER);
101b89a8333Snatalie li - Sun Microsystems - Irvine United States
102b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
103b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
104b89a8333Snatalie li - Sun Microsystems - Irvine United States }
105b89a8333Snatalie li - Sun Microsystems - Irvine United States
106b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Primary Group SID */
1077f667e74Sjose borrego id = &token->tkn_primary_grp;
108b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
1097f667e74Sjose borrego stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
1107f667e74Sjose borrego SMB_IDMAP_GROUP);
111b89a8333Snatalie li - Sun Microsystems - Irvine United States
112b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
113b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
114b89a8333Snatalie li - Sun Microsystems - Irvine United States
115b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Other Windows Group SIDs */
1167f667e74Sjose borrego for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
1177f667e74Sjose borrego id = &token->tkn_win_grps.i_ids[i];
118b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
119b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
1207f667e74Sjose borrego id->i_sid, SMB_IDMAP_GROUP);
121b89a8333Snatalie li - Sun Microsystems - Irvine United States
122b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
123b89a8333Snatalie li - Sun Microsystems - Irvine United States break;
124b89a8333Snatalie li - Sun Microsystems - Irvine United States }
125b89a8333Snatalie li - Sun Microsystems - Irvine United States
126b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
127b89a8333Snatalie li - Sun Microsystems - Irvine United States }
128b89a8333Snatalie li - Sun Microsystems - Irvine United States
129b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
130*f920d1d1SGordon Ross * Custom error callback for smb_token_sids2ids
131*f920d1d1SGordon Ross */
132*f920d1d1SGordon Ross static void
smb_token_bgm_error(smb_idmap_batch_t * sib,smb_idmap_t * sim)133*f920d1d1SGordon Ross smb_token_bgm_error(smb_idmap_batch_t *sib, smb_idmap_t *sim)
134*f920d1d1SGordon Ross {
135*f920d1d1SGordon Ross syslog(LOG_INFO, "smb_token_sids2ids: Can't get ID for "
136*f920d1d1SGordon Ross "SID %s-%u, status=%d",
137*f920d1d1SGordon Ross sim->sim_domsid, sim->sim_rid, sim->sim_stat);
138*f920d1d1SGordon Ross }
139*f920d1d1SGordon Ross
140*f920d1d1SGordon Ross /*
141b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_sids2ids
142b89a8333Snatalie li - Sun Microsystems - Irvine United States *
143b89a8333Snatalie li - Sun Microsystems - Irvine United States * This will map all the SIDs of the access token to UIDs/GIDs.
144a73d9d5eSGordon Ross * However, if there are some SIDs we can't map to UIDs/GIDs,
145a73d9d5eSGordon Ross * we don't want to fail the logon, and instead just log the
146a73d9d5eSGordon Ross * SIDs we could not map and continue as best we can.
147a73d9d5eSGordon Ross * The flag SMB_IDMAP_SKIP_ERRS below does that.
148b89a8333Snatalie li - Sun Microsystems - Irvine United States *
149b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns 0 upon success. Otherwise, returns -1.
150b89a8333Snatalie li - Sun Microsystems - Irvine United States */
151b89a8333Snatalie li - Sun Microsystems - Irvine United States static int
smb_token_sids2ids(smb_token_t * token)152b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_sids2ids(smb_token_t *token)
153b89a8333Snatalie li - Sun Microsystems - Irvine United States {
154b89a8333Snatalie li - Sun Microsystems - Irvine United States idmap_stat stat;
1551fdeec65Sjoyce mcintosh int nmaps;
156b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_t sib;
157b89a8333Snatalie li - Sun Microsystems - Irvine United States
158b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
159b89a8333Snatalie li - Sun Microsystems - Irvine United States * Number of idmap lookups: user SID, owner SID, primary group SID,
1607f667e74Sjose borrego * and all Windows group SIDs. Skip user/owner SID for Anonymous.
161b89a8333Snatalie li - Sun Microsystems - Irvine United States */
162b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token->tkn_flags & SMB_ATF_ANON)
1637f667e74Sjose borrego nmaps = token->tkn_win_grps.i_cnt + 1;
164b89a8333Snatalie li - Sun Microsystems - Irvine United States else
1657f667e74Sjose borrego nmaps = token->tkn_win_grps.i_cnt + 3;
166b89a8333Snatalie li - Sun Microsystems - Irvine United States
167a73d9d5eSGordon Ross stat = smb_idmap_batch_create(&sib, nmaps,
168a73d9d5eSGordon Ross SMB_IDMAP_SID2ID | SMB_IDMAP_SKIP_ERRS);
169b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
170b89a8333Snatalie li - Sun Microsystems - Irvine United States return (-1);
171b89a8333Snatalie li - Sun Microsystems - Irvine United States
172b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_token_idmap(token, &sib);
173b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS) {
174b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
175b89a8333Snatalie li - Sun Microsystems - Irvine United States return (-1);
176b89a8333Snatalie li - Sun Microsystems - Irvine United States }
177b89a8333Snatalie li - Sun Microsystems - Irvine United States
178*f920d1d1SGordon Ross /* Custom error CB here. */
179*f920d1d1SGordon Ross stat = smb_idmap_batch_getmappings(&sib, smb_token_bgm_error);
180*f920d1d1SGordon Ross if (sib.sib_nerr != 0) {
181*f920d1d1SGordon Ross syslog(LOG_DEBUG, "Token for user \"%s\\%s\" has "
182*f920d1d1SGordon Ross "%d SIDs that could not be mapped to IDs",
183*f920d1d1SGordon Ross (token->tkn_domain_name) ?
184*f920d1d1SGordon Ross token->tkn_domain_name : "?",
185*f920d1d1SGordon Ross (token->tkn_account_name) ?
186*f920d1d1SGordon Ross token->tkn_account_name : "?",
187*f920d1d1SGordon Ross sib.sib_nerr);
188*f920d1d1SGordon Ross }
189*f920d1d1SGordon Ross
19012b65585SGordon Ross smb_idmap_batch_destroy(&sib);
191b89a8333Snatalie li - Sun Microsystems - Irvine United States
192b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat == IDMAP_SUCCESS ? 0 : -1);
193b89a8333Snatalie li - Sun Microsystems - Irvine United States }
194b89a8333Snatalie li - Sun Microsystems - Irvine United States
195b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
196b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_create_pxgrps
197b89a8333Snatalie li - Sun Microsystems - Irvine United States *
198b89a8333Snatalie li - Sun Microsystems - Irvine United States * Setup the POSIX group membership of the access token if the given UID is
199b89a8333Snatalie li - Sun Microsystems - Irvine United States * a POSIX UID (non-ephemeral). Both the user's primary group and
200b89a8333Snatalie li - Sun Microsystems - Irvine United States * supplementary groups will be added to the POSIX group array of the access
201b89a8333Snatalie li - Sun Microsystems - Irvine United States * token.
202b89a8333Snatalie li - Sun Microsystems - Irvine United States */
203b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_posix_grps_t *
smb_token_create_pxgrps(uid_t uid)204b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_create_pxgrps(uid_t uid)
205b89a8333Snatalie li - Sun Microsystems - Irvine United States {
206b89a8333Snatalie li - Sun Microsystems - Irvine United States struct passwd *pwd;
207b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_posix_grps_t *pgrps;
208b89a8333Snatalie li - Sun Microsystems - Irvine United States int ngroups_max, num;
209b89a8333Snatalie li - Sun Microsystems - Irvine United States gid_t *gids;
210b89a8333Snatalie li - Sun Microsystems - Irvine United States
211b89a8333Snatalie li - Sun Microsystems - Irvine United States if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
212b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
213b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
214b89a8333Snatalie li - Sun Microsystems - Irvine United States }
215b89a8333Snatalie li - Sun Microsystems - Irvine United States
216b89a8333Snatalie li - Sun Microsystems - Irvine United States pwd = getpwuid(uid);
217b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pwd == NULL) {
218b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps = malloc(sizeof (smb_posix_grps_t));
219b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pgrps == NULL)
220b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
221b89a8333Snatalie li - Sun Microsystems - Irvine United States
222b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_ngrps = 0;
223b89a8333Snatalie li - Sun Microsystems - Irvine United States return (pgrps);
224b89a8333Snatalie li - Sun Microsystems - Irvine United States }
225b89a8333Snatalie li - Sun Microsystems - Irvine United States
226b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pwd->pw_name == NULL) {
227b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps = malloc(sizeof (smb_posix_grps_t));
228b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pgrps == NULL)
229b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
230b89a8333Snatalie li - Sun Microsystems - Irvine United States
231b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_ngrps = 1;
232b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_grps[0] = pwd->pw_gid;
233b89a8333Snatalie li - Sun Microsystems - Irvine United States return (pgrps);
234b89a8333Snatalie li - Sun Microsystems - Irvine United States }
235b89a8333Snatalie li - Sun Microsystems - Irvine United States
236b89a8333Snatalie li - Sun Microsystems - Irvine United States gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
237b89a8333Snatalie li - Sun Microsystems - Irvine United States if (gids == NULL) {
238b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
239b89a8333Snatalie li - Sun Microsystems - Irvine United States }
240b89a8333Snatalie li - Sun Microsystems - Irvine United States bzero(gids, ngroups_max * sizeof (gid_t));
241b89a8333Snatalie li - Sun Microsystems - Irvine United States
242b89a8333Snatalie li - Sun Microsystems - Irvine United States gids[0] = pwd->pw_gid;
243b89a8333Snatalie li - Sun Microsystems - Irvine United States
244b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
245b89a8333Snatalie li - Sun Microsystems - Irvine United States * Setup the groups starting at index 1 (the last arg)
246b89a8333Snatalie li - Sun Microsystems - Irvine United States * of gids array.
247b89a8333Snatalie li - Sun Microsystems - Irvine United States */
248b89a8333Snatalie li - Sun Microsystems - Irvine United States num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
249b89a8333Snatalie li - Sun Microsystems - Irvine United States
250b89a8333Snatalie li - Sun Microsystems - Irvine United States if (num == -1) {
251b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_ERR, "smb_logon: unable "
252b89a8333Snatalie li - Sun Microsystems - Irvine United States "to get user's supplementary groups");
253b89a8333Snatalie li - Sun Microsystems - Irvine United States num = 1;
254b89a8333Snatalie li - Sun Microsystems - Irvine United States }
255b89a8333Snatalie li - Sun Microsystems - Irvine United States
256b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
257b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pgrps) {
258b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_ngrps = num;
259b89a8333Snatalie li - Sun Microsystems - Irvine United States bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
260b89a8333Snatalie li - Sun Microsystems - Irvine United States }
261b89a8333Snatalie li - Sun Microsystems - Irvine United States
262b89a8333Snatalie li - Sun Microsystems - Irvine United States free(gids);
263b89a8333Snatalie li - Sun Microsystems - Irvine United States return (pgrps);
264b89a8333Snatalie li - Sun Microsystems - Irvine United States }
265b89a8333Snatalie li - Sun Microsystems - Irvine United States
266b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
267b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_destroy
268b89a8333Snatalie li - Sun Microsystems - Irvine United States *
269b89a8333Snatalie li - Sun Microsystems - Irvine United States * Release all of the memory associated with a token structure. Ensure
270b89a8333Snatalie li - Sun Microsystems - Irvine United States * that the token has been unlinked before calling.
271b89a8333Snatalie li - Sun Microsystems - Irvine United States */
272b89a8333Snatalie li - Sun Microsystems - Irvine United States void
smb_token_destroy(smb_token_t * token)273b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_destroy(smb_token_t *token)
274b89a8333Snatalie li - Sun Microsystems - Irvine United States {
2757f667e74Sjose borrego if (token != NULL) {
2767f667e74Sjose borrego smb_sid_free(token->tkn_user.i_sid);
2777f667e74Sjose borrego smb_sid_free(token->tkn_owner.i_sid);
2787f667e74Sjose borrego smb_sid_free(token->tkn_primary_grp.i_sid);
2797f667e74Sjose borrego smb_ids_free(&token->tkn_win_grps);
280b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_free(token->tkn_privileges);
281b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_posix_grps);
282b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_account_name);
283b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_domain_name);
28412b65585SGordon Ross free(token->tkn_ssnkey.val);
2859fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States bzero(token, sizeof (smb_token_t));
286b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token);
287b89a8333Snatalie li - Sun Microsystems - Irvine United States }
288b89a8333Snatalie li - Sun Microsystems - Irvine United States }
289b89a8333Snatalie li - Sun Microsystems - Irvine United States
290b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
291b89a8333Snatalie li - Sun Microsystems - Irvine United States * Token owner should be set to local Administrators group
292b89a8333Snatalie li - Sun Microsystems - Irvine United States * in two cases:
293b89a8333Snatalie li - Sun Microsystems - Irvine United States * 1. The logged on user is a member of Domain Admins group
29448bbca81SDaniel Hoffman * 2. They are a member of local Administrators group
295b89a8333Snatalie li - Sun Microsystems - Irvine United States */
2967f667e74Sjose borrego static void
smb_token_set_owner(smb_token_t * token)2977f667e74Sjose borrego smb_token_set_owner(smb_token_t *token)
298b89a8333Snatalie li - Sun Microsystems - Irvine United States {
299b89a8333Snatalie li - Sun Microsystems - Irvine United States #ifdef SMB_SUPPORT_GROUP_OWNER
300b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_sid_t *owner_sid;
301b89a8333Snatalie li - Sun Microsystems - Irvine United States
3027f667e74Sjose borrego if (token->tkn_flags & SMB_ATF_ADMIN) {
3037f667e74Sjose borrego owner_sid = smb_wka_get_sid("Administrators");
3047f667e74Sjose borrego assert(owner_sid);
305b89a8333Snatalie li - Sun Microsystems - Irvine United States } else {
3067f667e74Sjose borrego owner_sid = token->tkn_user->i_sid;
307b89a8333Snatalie li - Sun Microsystems - Irvine United States }
308b89a8333Snatalie li - Sun Microsystems - Irvine United States
3097f667e74Sjose borrego token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
310b89a8333Snatalie li - Sun Microsystems - Irvine United States #endif
3117f667e74Sjose borrego token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
312b89a8333Snatalie li - Sun Microsystems - Irvine United States }
313b89a8333Snatalie li - Sun Microsystems - Irvine United States
314b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_privset_t *
smb_token_create_privs(smb_token_t * token)3157f667e74Sjose borrego smb_token_create_privs(smb_token_t *token)
316b89a8333Snatalie li - Sun Microsystems - Irvine United States {
317b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_t *privs;
318b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_giter_t gi;
319b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_group_t grp;
320b89a8333Snatalie li - Sun Microsystems - Irvine United States int rc;
321b89a8333Snatalie li - Sun Microsystems - Irvine United States
322b89a8333Snatalie li - Sun Microsystems - Irvine United States privs = smb_privset_new();
323b89a8333Snatalie li - Sun Microsystems - Irvine United States if (privs == NULL)
324b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
325b89a8333Snatalie li - Sun Microsystems - Irvine United States
326b89a8333Snatalie li - Sun Microsystems - Irvine United States if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
327b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_free(privs);
328b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
329b89a8333Snatalie li - Sun Microsystems - Irvine United States }
330b89a8333Snatalie li - Sun Microsystems - Irvine United States
331b89a8333Snatalie li - Sun Microsystems - Irvine United States while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
3327f667e74Sjose borrego if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
333b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_merge(privs, grp.sg_privs);
334b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_lgrp_free(&grp);
335b89a8333Snatalie li - Sun Microsystems - Irvine United States }
336b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_lgrp_iterclose(&gi);
337b89a8333Snatalie li - Sun Microsystems - Irvine United States
3387f667e74Sjose borrego if (token->tkn_flags & SMB_ATF_ADMIN) {
33953d00481SYuri Pankov char admgrp[] = "Administrators";
34053d00481SYuri Pankov
34153d00481SYuri Pankov rc = smb_lgrp_getbyname(admgrp, &grp);
342b89a8333Snatalie li - Sun Microsystems - Irvine United States if (rc == SMB_LGRP_SUCCESS) {
343b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_merge(privs, grp.sg_privs);
344b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_lgrp_free(&grp);
345b89a8333Snatalie li - Sun Microsystems - Irvine United States }
346b89a8333Snatalie li - Sun Microsystems - Irvine United States
347b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
348b89a8333Snatalie li - Sun Microsystems - Irvine United States * This privilege is required to view/edit SACL
349b89a8333Snatalie li - Sun Microsystems - Irvine United States */
350b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_enable(privs, SE_SECURITY_LUID);
351b89a8333Snatalie li - Sun Microsystems - Irvine United States }
352b89a8333Snatalie li - Sun Microsystems - Irvine United States
353cc3780e6SGordon Ross /*
354cc3780e6SGordon Ross * Members of "Authenticated Users" (!anon) should normally get
355cc3780e6SGordon Ross * "Bypass traverse checking" privilege, though we allow this
356cc3780e6SGordon Ross * to be disabled (see smb.4). For historical reasons, the
357cc3780e6SGordon Ross * internal privilege name is "SeChangeNotifyPrivilege".
358cc3780e6SGordon Ross */
359cc3780e6SGordon Ross if ((token->tkn_flags & SMB_ATF_ANON) == 0 &&
360cc3780e6SGordon Ross smb_config_getbool(SMB_CI_BYPASS_TRAVERSE_CHECKING))
361cc3780e6SGordon Ross smb_privset_enable(privs, SE_CHANGE_NOTIFY_LUID);
362cc3780e6SGordon Ross
363b89a8333Snatalie li - Sun Microsystems - Irvine United States return (privs);
364b89a8333Snatalie li - Sun Microsystems - Irvine United States }
365b89a8333Snatalie li - Sun Microsystems - Irvine United States
366b89a8333Snatalie li - Sun Microsystems - Irvine United States static void
smb_token_set_flags(smb_token_t * token)3677f667e74Sjose borrego smb_token_set_flags(smb_token_t *token)
368b89a8333Snatalie li - Sun Microsystems - Irvine United States {
3697f667e74Sjose borrego if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
370b89a8333Snatalie li - Sun Microsystems - Irvine United States token->tkn_flags |= SMB_ATF_ADMIN;
371b89a8333Snatalie li - Sun Microsystems - Irvine United States
3727f667e74Sjose borrego if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
373b89a8333Snatalie li - Sun Microsystems - Irvine United States token->tkn_flags |= SMB_ATF_POWERUSER;
374b89a8333Snatalie li - Sun Microsystems - Irvine United States
3757f667e74Sjose borrego if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
376b89a8333Snatalie li - Sun Microsystems - Irvine United States token->tkn_flags |= SMB_ATF_BACKUPOP;
377b89a8333Snatalie li - Sun Microsystems - Irvine United States }
378b89a8333Snatalie li - Sun Microsystems - Irvine United States
379b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
3807f667e74Sjose borrego * Common token setup for both local and domain users.
3817f667e74Sjose borrego * This function must be called after the initial setup
3827f667e74Sjose borrego * has been done.
383b89a8333Snatalie li - Sun Microsystems - Irvine United States *
3847f667e74Sjose borrego * Note that the order of calls in this function are important.
38512b65585SGordon Ross *
38612b65585SGordon Ross * Returns B_TRUE for success.
387b89a8333Snatalie li - Sun Microsystems - Irvine United States */
38812b65585SGordon Ross boolean_t
smb_token_setup_common(smb_token_t * token)3897f667e74Sjose borrego smb_token_setup_common(smb_token_t *token)
390b89a8333Snatalie li - Sun Microsystems - Irvine United States {
3917f667e74Sjose borrego smb_token_set_flags(token);
392b89a8333Snatalie li - Sun Microsystems - Irvine United States
3937f667e74Sjose borrego smb_token_set_owner(token);
3947f667e74Sjose borrego if (token->tkn_owner.i_sid == NULL)
3959fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (B_FALSE);
396b89a8333Snatalie li - Sun Microsystems - Irvine United States
397b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Privileges */
3987f667e74Sjose borrego token->tkn_privileges = smb_token_create_privs(token);
3997f667e74Sjose borrego if (token->tkn_privileges == NULL)
4009fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (B_FALSE);
401b89a8333Snatalie li - Sun Microsystems - Irvine United States
402b89a8333Snatalie li - Sun Microsystems - Irvine United States if (smb_token_sids2ids(token) != 0) {
403b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_ERR, "%s\\%s: idmap failed",
4047f667e74Sjose borrego token->tkn_domain_name, token->tkn_account_name);
4059fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (B_FALSE);
406b89a8333Snatalie li - Sun Microsystems - Irvine United States }
407b89a8333Snatalie li - Sun Microsystems - Irvine United States
408b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Solaris Groups */
4097f667e74Sjose borrego token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
410b89a8333Snatalie li - Sun Microsystems - Irvine United States
4119fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (smb_token_valid(token));
412b89a8333Snatalie li - Sun Microsystems - Irvine United States }
413b89a8333Snatalie li - Sun Microsystems - Irvine United States
41429bd2886SAlan Wright uint32_t
smb_logon_init(void)41529bd2886SAlan Wright smb_logon_init(void)
41629bd2886SAlan Wright {
41729bd2886SAlan Wright uint32_t status;
41829bd2886SAlan Wright
41929bd2886SAlan Wright (void) rw_wrlock(&smb_logoninit_rwl);
42029bd2886SAlan Wright status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
42129bd2886SAlan Wright if (status != NT_STATUS_SUCCESS) {
42229bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
42329bd2886SAlan Wright return (status);
42429bd2886SAlan Wright }
42529bd2886SAlan Wright
42629bd2886SAlan Wright status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
42729bd2886SAlan Wright &smb_domusers);
42829bd2886SAlan Wright if (status != NT_STATUS_SUCCESS) {
42929bd2886SAlan Wright smb_account_free(&smb_guest);
43029bd2886SAlan Wright bzero(&smb_guest, sizeof (smb_account_t));
43129bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
43229bd2886SAlan Wright return (status);
43329bd2886SAlan Wright }
43429bd2886SAlan Wright
43529bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
43629bd2886SAlan Wright return (status);
43729bd2886SAlan Wright }
43829bd2886SAlan Wright
43929bd2886SAlan Wright void
smb_logon_fini(void)44029bd2886SAlan Wright smb_logon_fini(void)
44129bd2886SAlan Wright {
44229bd2886SAlan Wright (void) rw_wrlock(&smb_logoninit_rwl);
44329bd2886SAlan Wright smb_account_free(&smb_guest);
44429bd2886SAlan Wright smb_account_free(&smb_domusers);
44529bd2886SAlan Wright bzero(&smb_guest, sizeof (smb_account_t));
44629bd2886SAlan Wright bzero(&smb_domusers, sizeof (smb_account_t));
44729bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
44829bd2886SAlan Wright }
44929bd2886SAlan Wright
450b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
4519fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Perform user authentication.
452b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4539fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * The dispatched functions must only update the user_info status if they
4549fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * attempt to authenticate the user.
455b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4569fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * On success, a pointer to a new access token is returned.
457975041ddSGordon Ross * On failure, NULL return and status in user_info->lg_status
458b89a8333Snatalie li - Sun Microsystems - Irvine United States */
459b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_t *
smb_logon(smb_logon_t * user_info)4609fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon(smb_logon_t *user_info)
461b89a8333Snatalie li - Sun Microsystems - Irvine United States {
4629fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static smb_logonop_t ops[] = {
4639fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_anon,
4649fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_local,
4659fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_domain,
4669fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_guest
4679fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States };
468b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_t *token = NULL;
4699fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_domain_t domain;
4709fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States int n_op = (sizeof (ops) / sizeof (ops[0]));
4719fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States int i;
472b89a8333Snatalie li - Sun Microsystems - Irvine United States
4739fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_secmode = smb_config_get_secmode();
4749fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
4759fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
4769fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain_type = domain.di_type;
4779fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States else
4789fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain_type = SMB_DOMAIN_NULL;
4799fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
4809fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
4819fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States syslog(LOG_ERR, "logon[%s\\%s]: %m",
4829fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_domain, user_info->lg_e_username);
483b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
4847f667e74Sjose borrego }
485b89a8333Snatalie li - Sun Microsystems - Irvine United States
486975041ddSGordon Ross /*
487975041ddSGordon Ross * If any logonop function takes significant action
488975041ddSGordon Ross * (logon or authoratative failure) it will change
489975041ddSGordon Ross * this status field to something else.
490975041ddSGordon Ross */
491975041ddSGordon Ross user_info->lg_status = NT_STATUS_NO_SUCH_USER;
4929fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States for (i = 0; i < n_op; ++i) {
4939fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States (*ops[i])(user_info, token);
4949fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
4959fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_status == NT_STATUS_SUCCESS)
4969fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States break;
4977f667e74Sjose borrego }
49829bd2886SAlan Wright
4999fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_status == NT_STATUS_SUCCESS) {
5009fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (smb_token_setup_common(token))
501975041ddSGordon Ross return (token); /* success */
502975041ddSGordon Ross /*
503975041ddSGordon Ross * (else) smb_token_setup_common failed, which usually
504975041ddSGordon Ross * means smb_token_sids2ids() failed to map some SIDs to
505975041ddSGordon Ross * Unix IDs. This indicates an idmap config problem.
506975041ddSGordon Ross */
507975041ddSGordon Ross user_info->lg_status = NT_STATUS_INTERNAL_ERROR;
508b89a8333Snatalie li - Sun Microsystems - Irvine United States }
509b89a8333Snatalie li - Sun Microsystems - Irvine United States
5107f667e74Sjose borrego smb_token_destroy(token);
511975041ddSGordon Ross
512975041ddSGordon Ross /*
513975041ddSGordon Ross * Any unknown user or bad password should result in
514975041ddSGordon Ross * NT_STATUS_LOGON_FAILURE (so we don't give hints).
515975041ddSGordon Ross */
516975041ddSGordon Ross if (user_info->lg_status == NT_STATUS_NO_SUCH_USER ||
517975041ddSGordon Ross user_info->lg_status == NT_STATUS_WRONG_PASSWORD)
518975041ddSGordon Ross user_info->lg_status = NT_STATUS_LOGON_FAILURE;
519975041ddSGordon Ross
5207f667e74Sjose borrego return (NULL);
5217f667e74Sjose borrego }
5227f667e74Sjose borrego
523b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
5249fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If the user has an entry in the local database, attempt local authentication.
525b89a8333Snatalie li - Sun Microsystems - Irvine United States *
5269fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * In domain mode, we try to exclude domain accounts, which we do by only
5279fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * accepting local or null (blank) domain names here. Some clients (Mac OS)
5289fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * don't always send the domain name.
529b89a8333Snatalie li - Sun Microsystems - Irvine United States *
5309fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If we are not going to attempt authentication, this function must return
5319fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * without updating the status.
532b89a8333Snatalie li - Sun Microsystems - Irvine United States */
5339fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void
smb_logon_local(smb_logon_t * user_info,smb_token_t * token)5349fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
535b89a8333Snatalie li - Sun Microsystems - Irvine United States {
53629bd2886SAlan Wright char guest[SMB_USERNAME_MAXLEN];
537b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_passwd_t smbpw;
538b89a8333Snatalie li - Sun Microsystems - Irvine United States uint32_t status;
539b89a8333Snatalie li - Sun Microsystems - Irvine United States
5409fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
5419fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
5429fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States (user_info->lg_domain_type != SMB_DOMAIN_NULL))
5439fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return;
544b89a8333Snatalie li - Sun Microsystems - Irvine United States }
545b89a8333Snatalie li - Sun Microsystems - Irvine United States
54612b65585SGordon Ross /*
54712b65585SGordon Ross * If the requested account name is "guest" (or whatever
54812b65585SGordon Ross * our guest account is named) then don't handle it here.
54912b65585SGordon Ross * Let this request fall through to smb_logon_guest().
55012b65585SGordon Ross */
55129bd2886SAlan Wright smb_guest_account(guest, SMB_USERNAME_MAXLEN);
55212b65585SGordon Ross if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0)
55312b65585SGordon Ross return;
554b89a8333Snatalie li - Sun Microsystems - Irvine United States
5559fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States status = smb_token_auth_local(user_info, token, &smbpw);
55612b65585SGordon Ross if (status == NT_STATUS_SUCCESS)
5577f667e74Sjose borrego status = smb_token_setup_local(&smbpw, token);
55829bd2886SAlan Wright
5599fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = status;
56029bd2886SAlan Wright }
56129bd2886SAlan Wright
56229bd2886SAlan Wright /*
5639fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Guest authentication. This may be a local guest account or the guest
5649fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * account may be mapped to a local account. These accounts are regular
5659fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * accounts with normal password protection.
5669fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States *
5679fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Only proceed with a guest logon if previous logon options have resulted
5689fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * in NO_SUCH_USER.
5699fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States *
5709fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If we are not going to attempt authentication, this function must return
5719fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * without updating the status.
57229bd2886SAlan Wright */
5739fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void
smb_logon_guest(smb_logon_t * user_info,smb_token_t * token)5749fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
57529bd2886SAlan Wright {
57629bd2886SAlan Wright char guest[SMB_USERNAME_MAXLEN];
57729bd2886SAlan Wright smb_passwd_t smbpw;
57829bd2886SAlan Wright char *temp;
57929bd2886SAlan Wright
5809fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
5819fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return;
58229bd2886SAlan Wright
58312b65585SGordon Ross /* Get the name of the guest account. */
5849fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_guest_account(guest, SMB_USERNAME_MAXLEN);
58512b65585SGordon Ross
58612b65585SGordon Ross /* Does the guest account exist? */
58712b65585SGordon Ross if (smb_pwd_getpwnam(guest, &smbpw) == NULL)
58812b65585SGordon Ross return;
58912b65585SGordon Ross
59012b65585SGordon Ross /* Is it enabled? (empty p/w is OK) */
59112b65585SGordon Ross if (smbpw.pw_flags & SMB_PWF_DISABLE)
59212b65585SGordon Ross return;
59312b65585SGordon Ross
59412b65585SGordon Ross /*
59512b65585SGordon Ross * OK, give the client a guest logon. Note that on entry,
59612b65585SGordon Ross * lg_e_username is typically something other than "guest"
59712b65585SGordon Ross * so we need to set the effective username when createing
59812b65585SGordon Ross * the guest token.
59912b65585SGordon Ross */
6009fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States temp = user_info->lg_e_username;
6019fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_username = guest;
60212b65585SGordon Ross user_info->lg_status = smb_token_setup_guest(user_info, token);
6039fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_username = temp;
604b89a8333Snatalie li - Sun Microsystems - Irvine United States }
605b89a8333Snatalie li - Sun Microsystems - Irvine United States
606b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
6079fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If user_info represents an anonymous user then setup the token.
6089fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Otherwise return without updating the status.
6099fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States */
6109fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void
smb_logon_anon(smb_logon_t * user_info,smb_token_t * token)6119fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
6129fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States {
6139fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_flags & SMB_ATF_ANON)
6149fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = smb_token_setup_anon(token);
6159fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States }
6169fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
6179fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /*
6189fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Try both LM hash and NT hashes with user's password(s) to authenticate
6199fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * the user.
620b89a8333Snatalie li - Sun Microsystems - Irvine United States */
621b89a8333Snatalie li - Sun Microsystems - Irvine United States static uint32_t
smb_token_auth_local(smb_logon_t * user_info,smb_token_t * token,smb_passwd_t * smbpw)6229fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
62329bd2886SAlan Wright smb_passwd_t *smbpw)
62429bd2886SAlan Wright {
62512b65585SGordon Ross boolean_t ok;
62629bd2886SAlan Wright uint32_t status = NT_STATUS_SUCCESS;
62729bd2886SAlan Wright
6289fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
62929bd2886SAlan Wright return (NT_STATUS_NO_SUCH_USER);
63029bd2886SAlan Wright
63129bd2886SAlan Wright if (smbpw->pw_flags & SMB_PWF_DISABLE)
63229bd2886SAlan Wright return (NT_STATUS_ACCOUNT_DISABLED);
63329bd2886SAlan Wright
63412b65585SGordon Ross if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) {
63512b65585SGordon Ross /*
63612b65585SGordon Ross * The SMB passwords have not been set.
63712b65585SGordon Ross * Return an error that suggests the
63812b65585SGordon Ross * password needs to be set.
63912b65585SGordon Ross */
64012b65585SGordon Ross return (NT_STATUS_PASSWORD_EXPIRED);
64129bd2886SAlan Wright }
64229bd2886SAlan Wright
64312b65585SGordon Ross token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ);
64412b65585SGordon Ross if (token->tkn_ssnkey.val == NULL)
64529bd2886SAlan Wright return (NT_STATUS_NO_MEMORY);
64612b65585SGordon Ross token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
64712b65585SGordon Ross
64812b65585SGordon Ross ok = smb_auth_validate(
64929bd2886SAlan Wright smbpw,
6509fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain,
6519fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_username,
65212b65585SGordon Ross user_info->lg_challenge_key.val,
65312b65585SGordon Ross user_info->lg_challenge_key.len,
65412b65585SGordon Ross user_info->lg_nt_password.val,
65512b65585SGordon Ross user_info->lg_nt_password.len,
65612b65585SGordon Ross user_info->lg_lm_password.val,
65712b65585SGordon Ross user_info->lg_lm_password.len,
65812b65585SGordon Ross token->tkn_ssnkey.val);
65912b65585SGordon Ross if (ok)
66012b65585SGordon Ross return (NT_STATUS_SUCCESS);
66129bd2886SAlan Wright
66212b65585SGordon Ross free(token->tkn_ssnkey.val);
66312b65585SGordon Ross token->tkn_ssnkey.val = NULL;
66412b65585SGordon Ross token->tkn_ssnkey.len = 0;
66512b65585SGordon Ross
66629bd2886SAlan Wright status = NT_STATUS_WRONG_PASSWORD;
6679fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
6689fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_domain, user_info->lg_e_username,
66929bd2886SAlan Wright xlate_nt_status(status));
67029bd2886SAlan Wright
67129bd2886SAlan Wright return (status);
67229bd2886SAlan Wright }
67329bd2886SAlan Wright
674b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
6757f667e74Sjose borrego * Setup an access token for the specified local user.
676b89a8333Snatalie li - Sun Microsystems - Irvine United States */
677b89a8333Snatalie li - Sun Microsystems - Irvine United States static uint32_t
smb_token_setup_local(smb_passwd_t * smbpw,smb_token_t * token)6787f667e74Sjose borrego smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
679b89a8333Snatalie li - Sun Microsystems - Irvine United States {
680b89a8333Snatalie li - Sun Microsystems - Irvine United States idmap_stat stat;
681b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_t sib;
682b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_t *umap, *gmap;
683b89a8333Snatalie li - Sun Microsystems - Irvine United States struct passwd pw;
684b89a8333Snatalie li - Sun Microsystems - Irvine United States char pwbuf[1024];
685b89a8333Snatalie li - Sun Microsystems - Irvine United States char nbname[NETBIOS_NAME_SZ];
686b89a8333Snatalie li - Sun Microsystems - Irvine United States
687b89a8333Snatalie li - Sun Microsystems - Irvine United States (void) smb_getnetbiosname(nbname, sizeof (nbname));
6887f667e74Sjose borrego token->tkn_account_name = strdup(smbpw->pw_name);
6897f667e74Sjose borrego token->tkn_domain_name = strdup(nbname);
690b89a8333Snatalie li - Sun Microsystems - Irvine United States
6917f667e74Sjose borrego if (token->tkn_account_name == NULL ||
6927f667e74Sjose borrego token->tkn_domain_name == NULL)
693b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_NO_MEMORY);
694b89a8333Snatalie li - Sun Microsystems - Irvine United States
6957f667e74Sjose borrego if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
696b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_NO_SUCH_USER);
697b89a8333Snatalie li - Sun Microsystems - Irvine United States
698b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Get the SID for user's uid & gid */
699b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
7007f667e74Sjose borrego if (stat != IDMAP_SUCCESS)
701b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
702b89a8333Snatalie li - Sun Microsystems - Irvine United States
703b89a8333Snatalie li - Sun Microsystems - Irvine United States umap = &sib.sib_maps[0];
704b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
705b89a8333Snatalie li - Sun Microsystems - Irvine United States SMB_IDMAP_USER);
706b89a8333Snatalie li - Sun Microsystems - Irvine United States
707b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS) {
708b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
709b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
710b89a8333Snatalie li - Sun Microsystems - Irvine United States }
711b89a8333Snatalie li - Sun Microsystems - Irvine United States
712b89a8333Snatalie li - Sun Microsystems - Irvine United States gmap = &sib.sib_maps[1];
713b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
714b89a8333Snatalie li - Sun Microsystems - Irvine United States SMB_IDMAP_GROUP);
715b89a8333Snatalie li - Sun Microsystems - Irvine United States
716b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS) {
717b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
718b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
719b89a8333Snatalie li - Sun Microsystems - Irvine United States }
720b89a8333Snatalie li - Sun Microsystems - Irvine United States
721*f920d1d1SGordon Ross /* No error CB. Report errors below. */
722*f920d1d1SGordon Ross stat = smb_idmap_batch_getmappings(&sib, NULL);
723*f920d1d1SGordon Ross
724*f920d1d1SGordon Ross if (stat != IDMAP_SUCCESS) {
725*f920d1d1SGordon Ross syslog(LOG_NOTICE, "logon[%s\\%s]: Can't get SID for "
726*f920d1d1SGordon Ross "primary GID or UID",
727*f920d1d1SGordon Ross nbname, smbpw->pw_name);
728*f920d1d1SGordon Ross smb_idmap_batch_destroy(&sib);
729b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
730*f920d1d1SGordon Ross }
731b89a8333Snatalie li - Sun Microsystems - Irvine United States
7327f667e74Sjose borrego token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
7337f667e74Sjose borrego token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
734b89a8333Snatalie li - Sun Microsystems - Irvine United States
735b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
736b89a8333Snatalie li - Sun Microsystems - Irvine United States
7377f667e74Sjose borrego if (token->tkn_user.i_sid == NULL ||
7387f667e74Sjose borrego token->tkn_primary_grp.i_sid == NULL)
739b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_NO_MEMORY);
740b89a8333Snatalie li - Sun Microsystems - Irvine United States
7417f667e74Sjose borrego return (smb_token_setup_wingrps(token));
742b89a8333Snatalie li - Sun Microsystems - Irvine United States }
743b89a8333Snatalie li - Sun Microsystems - Irvine United States
744b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
74529bd2886SAlan Wright * Setup access token for guest connections
74629bd2886SAlan Wright */
74729bd2886SAlan Wright static uint32_t
smb_token_setup_guest(smb_logon_t * user_info,smb_token_t * token)7489fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
74929bd2886SAlan Wright {
7509fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States token->tkn_account_name = strdup(user_info->lg_e_username);
75129bd2886SAlan Wright
75229bd2886SAlan Wright (void) rw_rdlock(&smb_logoninit_rwl);
75329bd2886SAlan Wright token->tkn_domain_name = strdup(smb_guest.a_domain);
75429bd2886SAlan Wright token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
75529bd2886SAlan Wright token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
75629bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
75729bd2886SAlan Wright token->tkn_flags = SMB_ATF_GUEST;
75829bd2886SAlan Wright
7592d0c20a0SMatt Barden /*
7602d0c20a0SMatt Barden * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the
7612d0c20a0SMatt Barden * Client":
7622d0c20a0SMatt Barden * The 'SessionBaseKey' for Guests is 16-bytes of 0s.
7632d0c20a0SMatt Barden */
7642d0c20a0SMatt Barden token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ);
7652d0c20a0SMatt Barden
76629bd2886SAlan Wright if (token->tkn_account_name == NULL ||
76729bd2886SAlan Wright token->tkn_domain_name == NULL ||
76829bd2886SAlan Wright token->tkn_user.i_sid == NULL ||
7692d0c20a0SMatt Barden token->tkn_primary_grp.i_sid == NULL ||
7702d0c20a0SMatt Barden token->tkn_ssnkey.val == NULL)
77129bd2886SAlan Wright return (NT_STATUS_NO_MEMORY);
77229bd2886SAlan Wright
7732d0c20a0SMatt Barden token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
77429bd2886SAlan Wright return (smb_token_setup_wingrps(token));
77529bd2886SAlan Wright }
77629bd2886SAlan Wright
77729bd2886SAlan Wright /*
77829bd2886SAlan Wright * Setup access token for anonymous connections
779b89a8333Snatalie li - Sun Microsystems - Irvine United States */
7807f667e74Sjose borrego static uint32_t
smb_token_setup_anon(smb_token_t * token)7817f667e74Sjose borrego smb_token_setup_anon(smb_token_t *token)
782b89a8333Snatalie li - Sun Microsystems - Irvine United States {
7837f667e74Sjose borrego smb_sid_t *user_sid;
784b89a8333Snatalie li - Sun Microsystems - Irvine United States
7857f667e74Sjose borrego token->tkn_account_name = strdup("Anonymous");
7867f667e74Sjose borrego token->tkn_domain_name = strdup("NT Authority");
7877f667e74Sjose borrego user_sid = smb_wka_get_sid("Anonymous");
7887f667e74Sjose borrego token->tkn_user.i_sid = smb_sid_dup(user_sid);
7897f667e74Sjose borrego token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
7907f667e74Sjose borrego token->tkn_flags = SMB_ATF_ANON;
791b89a8333Snatalie li - Sun Microsystems - Irvine United States
7922d0c20a0SMatt Barden /*
7932d0c20a0SMatt Barden * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the
7942d0c20a0SMatt Barden * Client":
7952d0c20a0SMatt Barden * The 'SessionBaseKey' for Anonymous users is 16-bytes of 0s.
7962d0c20a0SMatt Barden */
7972d0c20a0SMatt Barden token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ);
7982d0c20a0SMatt Barden
7997f667e74Sjose borrego if (token->tkn_account_name == NULL ||
8007f667e74Sjose borrego token->tkn_domain_name == NULL ||
8017f667e74Sjose borrego token->tkn_user.i_sid == NULL ||
8022d0c20a0SMatt Barden token->tkn_primary_grp.i_sid == NULL ||
8032d0c20a0SMatt Barden token->tkn_ssnkey.val == NULL)
8047f667e74Sjose borrego return (NT_STATUS_NO_MEMORY);
8057f667e74Sjose borrego
8062d0c20a0SMatt Barden token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
8077f667e74Sjose borrego return (smb_token_setup_wingrps(token));
808b89a8333Snatalie li - Sun Microsystems - Irvine United States }
809b89a8333Snatalie li - Sun Microsystems - Irvine United States
810b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
811b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_user_sid
812b89a8333Snatalie li - Sun Microsystems - Irvine United States *
813b89a8333Snatalie li - Sun Microsystems - Irvine United States * Return a pointer to the user SID in the specified token. A null
814b89a8333Snatalie li - Sun Microsystems - Irvine United States * pointer indicates an error.
815b89a8333Snatalie li - Sun Microsystems - Irvine United States */
816b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_sid_t *
smb_token_user_sid(smb_token_t * token)817b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_user_sid(smb_token_t *token)
818b89a8333Snatalie li - Sun Microsystems - Irvine United States {
8197f667e74Sjose borrego return ((token) ? token->tkn_user.i_sid : NULL);
820b89a8333Snatalie li - Sun Microsystems - Irvine United States }
821b89a8333Snatalie li - Sun Microsystems - Irvine United States
822b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
823b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_group_sid
824b89a8333Snatalie li - Sun Microsystems - Irvine United States *
825b89a8333Snatalie li - Sun Microsystems - Irvine United States * Return a pointer to the group SID as indicated by the iterator.
826b89a8333Snatalie li - Sun Microsystems - Irvine United States * Setting the iterator to 0 before calling this function will return
827b89a8333Snatalie li - Sun Microsystems - Irvine United States * the first group, which will always be the primary group. The
828b89a8333Snatalie li - Sun Microsystems - Irvine United States * iterator will be incremented before returning the SID so that this
829b89a8333Snatalie li - Sun Microsystems - Irvine United States * function can be used to cycle through the groups. The caller can
830b89a8333Snatalie li - Sun Microsystems - Irvine United States * adjust the iterator as required between calls to obtain any specific
831b89a8333Snatalie li - Sun Microsystems - Irvine United States * group.
832b89a8333Snatalie li - Sun Microsystems - Irvine United States *
833b89a8333Snatalie li - Sun Microsystems - Irvine United States * On success a pointer to the appropriate group SID will be returned.
834b89a8333Snatalie li - Sun Microsystems - Irvine United States * Otherwise a null pointer will be returned.
835b89a8333Snatalie li - Sun Microsystems - Irvine United States */
836b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_sid_t *
smb_token_group_sid(smb_token_t * token,int * iterator)837b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_group_sid(smb_token_t *token, int *iterator)
838b89a8333Snatalie li - Sun Microsystems - Irvine United States {
839b89a8333Snatalie li - Sun Microsystems - Irvine United States int index;
840b89a8333Snatalie li - Sun Microsystems - Irvine United States
8417f667e74Sjose borrego if (token == NULL || iterator == NULL)
842b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
843b89a8333Snatalie li - Sun Microsystems - Irvine United States
8447f667e74Sjose borrego if (token->tkn_win_grps.i_ids == NULL)
845b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
846b89a8333Snatalie li - Sun Microsystems - Irvine United States
847b89a8333Snatalie li - Sun Microsystems - Irvine United States index = *iterator;
848b89a8333Snatalie li - Sun Microsystems - Irvine United States
8497f667e74Sjose borrego if (index < 0 || index >= token->tkn_win_grps.i_cnt)
850b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
851b89a8333Snatalie li - Sun Microsystems - Irvine United States
852b89a8333Snatalie li - Sun Microsystems - Irvine United States ++(*iterator);
8537f667e74Sjose borrego return (token->tkn_win_grps.i_ids[index].i_sid);
854b89a8333Snatalie li - Sun Microsystems - Irvine United States }
855b89a8333Snatalie li - Sun Microsystems - Irvine United States
856b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
857b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_is_member
858b89a8333Snatalie li - Sun Microsystems - Irvine United States *
859b89a8333Snatalie li - Sun Microsystems - Irvine United States * This function will determine whether or not the specified SID is a
860b89a8333Snatalie li - Sun Microsystems - Irvine United States * member of a token. The user SID and all group SIDs are tested.
861b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns 1 if the SID is a member of the token. Otherwise returns 0.
862b89a8333Snatalie li - Sun Microsystems - Irvine United States */
8637f667e74Sjose borrego static boolean_t
smb_token_is_member(smb_token_t * token,smb_sid_t * sid)864b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
865b89a8333Snatalie li - Sun Microsystems - Irvine United States {
866b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_sid_t *tsid;
867b89a8333Snatalie li - Sun Microsystems - Irvine United States int iterator = 0;
868b89a8333Snatalie li - Sun Microsystems - Irvine United States
8697f667e74Sjose borrego if (token == NULL || sid == NULL)
8707f667e74Sjose borrego return (B_FALSE);
8717f667e74Sjose borrego
872b89a8333Snatalie li - Sun Microsystems - Irvine United States tsid = smb_token_user_sid(token);
873b89a8333Snatalie li - Sun Microsystems - Irvine United States while (tsid) {
874b89a8333Snatalie li - Sun Microsystems - Irvine United States if (smb_sid_cmp(tsid, sid))
8757f667e74Sjose borrego return (B_TRUE);
876b89a8333Snatalie li - Sun Microsystems - Irvine United States
877b89a8333Snatalie li - Sun Microsystems - Irvine United States tsid = smb_token_group_sid(token, &iterator);
878b89a8333Snatalie li - Sun Microsystems - Irvine United States }
879b89a8333Snatalie li - Sun Microsystems - Irvine United States
8807f667e74Sjose borrego return (B_FALSE);
881b89a8333Snatalie li - Sun Microsystems - Irvine United States }
882b89a8333Snatalie li - Sun Microsystems - Irvine United States
883b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
884b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_log
885b89a8333Snatalie li - Sun Microsystems - Irvine United States *
886b89a8333Snatalie li - Sun Microsystems - Irvine United States * Diagnostic routine to write the contents of a token to the log.
887b89a8333Snatalie li - Sun Microsystems - Irvine United States */
888b89a8333Snatalie li - Sun Microsystems - Irvine United States void
smb_token_log(smb_token_t * token)889b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_log(smb_token_t *token)
890b89a8333Snatalie li - Sun Microsystems - Irvine United States {
8917f667e74Sjose borrego smb_ids_t *w_grps;
8927f667e74Sjose borrego smb_id_t *grp;
893b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_posix_grps_t *x_grps;
894b89a8333Snatalie li - Sun Microsystems - Irvine United States char sidstr[SMB_SID_STRSZ];
895b89a8333Snatalie li - Sun Microsystems - Irvine United States int i;
896b89a8333Snatalie li - Sun Microsystems - Irvine United States
897b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token == NULL)
898b89a8333Snatalie li - Sun Microsystems - Irvine United States return;
899b89a8333Snatalie li - Sun Microsystems - Irvine United States
900b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, "Token for %s\\%s",
901b89a8333Snatalie li - Sun Microsystems - Irvine United States (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
902b89a8333Snatalie li - Sun Microsystems - Irvine United States (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
903b89a8333Snatalie li - Sun Microsystems - Irvine United States
9047f667e74Sjose borrego syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs);
9057f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
9067f667e74Sjose borrego syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr,
9077f667e74Sjose borrego token->tkn_user.i_id);
908b89a8333Snatalie li - Sun Microsystems - Irvine United States
9097f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
910b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)",
9117f667e74Sjose borrego sidstr, token->tkn_owner.i_id);
912b89a8333Snatalie li - Sun Microsystems - Irvine United States
9137f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
914b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)",
9157f667e74Sjose borrego sidstr, token->tkn_primary_grp.i_id);
916b89a8333Snatalie li - Sun Microsystems - Irvine United States
9177f667e74Sjose borrego w_grps = &token->tkn_win_grps;
9187f667e74Sjose borrego if (w_grps->i_ids) {
9197f667e74Sjose borrego syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt);
9207f667e74Sjose borrego grp = w_grps->i_ids;
9217f667e74Sjose borrego for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
922b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG,
9237f667e74Sjose borrego " Grp[%d].Attr:%d", i, grp->i_attrs);
9247f667e74Sjose borrego if (grp->i_sid != NULL) {
9257f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
926b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG,
927b89a8333Snatalie li - Sun Microsystems - Irvine United States " Grp[%d].Sid: %s (id=%u)", i, sidstr,
9287f667e74Sjose borrego grp->i_id);
929b89a8333Snatalie li - Sun Microsystems - Irvine United States }
930b89a8333Snatalie li - Sun Microsystems - Irvine United States }
9317f667e74Sjose borrego } else {
932b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " No Windows groups");
9337f667e74Sjose borrego }
934b89a8333Snatalie li - Sun Microsystems - Irvine United States
935b89a8333Snatalie li - Sun Microsystems - Irvine United States x_grps = token->tkn_posix_grps;
936b89a8333Snatalie li - Sun Microsystems - Irvine United States if (x_grps) {
9377f667e74Sjose borrego syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps);
938b89a8333Snatalie li - Sun Microsystems - Irvine United States for (i = 0; i < x_grps->pg_ngrps; i++)
9397f667e74Sjose borrego syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]);
9407f667e74Sjose borrego } else {
941b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " No Solaris groups");
9427f667e74Sjose borrego }
943b89a8333Snatalie li - Sun Microsystems - Irvine United States
944b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token->tkn_privileges)
945b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_log(token->tkn_privileges);
946b89a8333Snatalie li - Sun Microsystems - Irvine United States else
947b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " No privileges");
948b89a8333Snatalie li - Sun Microsystems - Irvine United States }
9497f667e74Sjose borrego
9507f667e74Sjose borrego /*
9517f667e74Sjose borrego * Sets up local and well-known group membership for the given
9527f667e74Sjose borrego * token. Two assumptions have been made here:
9537f667e74Sjose borrego *
9547f667e74Sjose borrego * a) token already contains a valid user SID so that group
9557f667e74Sjose borrego * memberships can be established
9567f667e74Sjose borrego *
9577f667e74Sjose borrego * b) token belongs to a local or anonymous user
9587f667e74Sjose borrego */
9597f667e74Sjose borrego static uint32_t
smb_token_setup_wingrps(smb_token_t * token)9607f667e74Sjose borrego smb_token_setup_wingrps(smb_token_t *token)
9617f667e74Sjose borrego {
9627f667e74Sjose borrego smb_ids_t tkn_grps;
9637f667e74Sjose borrego uint32_t status;
9647f667e74Sjose borrego
9657f667e74Sjose borrego
9667f667e74Sjose borrego /*
9677f667e74Sjose borrego * We always want the user's primary group in the list
9687f667e74Sjose borrego * of groups.
9697f667e74Sjose borrego */
9707f667e74Sjose borrego tkn_grps.i_cnt = 1;
9717f667e74Sjose borrego if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
9727f667e74Sjose borrego return (NT_STATUS_NO_MEMORY);
9737f667e74Sjose borrego
9747f667e74Sjose borrego tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
9757f667e74Sjose borrego tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
9767f667e74Sjose borrego if (tkn_grps.i_ids->i_sid == NULL) {
9777f667e74Sjose borrego smb_ids_free(&tkn_grps);
9787f667e74Sjose borrego return (NT_STATUS_NO_MEMORY);
9797f667e74Sjose borrego }
9807f667e74Sjose borrego
9817f667e74Sjose borrego status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
9827f667e74Sjose borrego if (status != NT_STATUS_SUCCESS) {
9837f667e74Sjose borrego smb_ids_free(&tkn_grps);
9847f667e74Sjose borrego return (status);
9857f667e74Sjose borrego }
9867f667e74Sjose borrego
98729bd2886SAlan Wright status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
9887f667e74Sjose borrego if (status != NT_STATUS_SUCCESS) {
9897f667e74Sjose borrego smb_ids_free(&tkn_grps);
9907f667e74Sjose borrego return (status);
9917f667e74Sjose borrego }
9927f667e74Sjose borrego
9937f667e74Sjose borrego token->tkn_win_grps = tkn_grps;
9947f667e74Sjose borrego return (status);
9957f667e74Sjose borrego }
99629bd2886SAlan Wright
99729bd2886SAlan Wright /*
99829bd2886SAlan Wright * Returns the guest account name in the provided buffer.
99929bd2886SAlan Wright *
100029bd2886SAlan Wright * By default the name would be "guest" unless there's
100129bd2886SAlan Wright * a idmap name-based rule which maps the guest to a local
100229bd2886SAlan Wright * Solaris user in which case the name of that user is
100329bd2886SAlan Wright * returned.
100429bd2886SAlan Wright */
100529bd2886SAlan Wright static void
smb_guest_account(char * guest,size_t buflen)100629bd2886SAlan Wright smb_guest_account(char *guest, size_t buflen)
100729bd2886SAlan Wright {
100829bd2886SAlan Wright idmap_stat stat;
100929bd2886SAlan Wright uid_t guest_uid;
101029bd2886SAlan Wright struct passwd pw;
101129bd2886SAlan Wright char pwbuf[1024];
101229bd2886SAlan Wright int idtype;
101329bd2886SAlan Wright
101429bd2886SAlan Wright /* default Guest account name */
101529bd2886SAlan Wright (void) rw_rdlock(&smb_logoninit_rwl);
101629bd2886SAlan Wright (void) strlcpy(guest, smb_guest.a_name, buflen);
101729bd2886SAlan Wright
101829bd2886SAlan Wright idtype = SMB_IDMAP_USER;
101929bd2886SAlan Wright stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
102029bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
102129bd2886SAlan Wright
102229bd2886SAlan Wright if (stat != IDMAP_SUCCESS)
102329bd2886SAlan Wright return;
102429bd2886SAlan Wright
10259fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /* If Ephemeral ID return the default name */
10269fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
102729bd2886SAlan Wright return;
102829bd2886SAlan Wright
102929bd2886SAlan Wright if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
103029bd2886SAlan Wright return;
103129bd2886SAlan Wright
103229bd2886SAlan Wright (void) strlcpy(guest, pw.pw_name, buflen);
103329bd2886SAlan Wright }
1034