/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2018 Nexenta Systems, Inc. All rights reserved. */ /* * SMB server interface to idmap * (smb_idmap_get..., smb_idmap_batch_...) * * There are three implementations of this interface. * This is the kernel version of these routines. See also: * $SRC/lib/smbsrv/libfksmbsrv/common/fksmb_idmap.c * $SRC/lib/smbsrv/libsmb/common/smb_idmap.c * * There are enough differences (relative to the code size) * that it's more trouble than it's worth to merge them. * * This one differs from the others in that it: * calls kernel (kidmap_...) interfaces * returned domain SIDs are shared, not strdup'ed */ /* * SMB ID mapping * * Solaris ID mapping service (aka Winchester) works with domain SIDs * and RIDs where domain SIDs are in string format. CIFS service works * with binary SIDs understandable by CIFS clients. A layer of SMB ID * mapping functions are implemeted to hide the SID conversion details * and also hide the handling of array of batch mapping requests. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static int smb_idmap_batch_binsid(smb_idmap_batch_t *sib); /* * smb_idmap_getsid * * Maps the given Solaris ID to a Windows SID using the * simple mapping API. */ idmap_stat smb_idmap_getsid(uid_t id, int idtype, smb_sid_t **sid) { smb_idmap_t sim; switch (idtype) { case SMB_IDMAP_USER: sim.sim_stat = kidmap_getsidbyuid(global_zone, id, (const char **)&sim.sim_domsid, &sim.sim_rid); break; case SMB_IDMAP_GROUP: sim.sim_stat = kidmap_getsidbygid(global_zone, id, (const char **)&sim.sim_domsid, &sim.sim_rid); break; case SMB_IDMAP_EVERYONE: /* Everyone S-1-1-0 */ sim.sim_domsid = "S-1-1"; sim.sim_rid = 0; sim.sim_stat = IDMAP_SUCCESS; break; default: ASSERT(0); return (IDMAP_ERR_ARG); } /* * IDMAP_ERR_NOTFOUND is an advisory error * and idmap will generate a local sid. */ if (sim.sim_stat == IDMAP_ERR_NOTFOUND && sim.sim_domsid != NULL) sim.sim_stat = IDMAP_SUCCESS; if (sim.sim_stat != IDMAP_SUCCESS) return (sim.sim_stat); if (sim.sim_domsid == NULL) return (IDMAP_ERR_NOMAPPING); sim.sim_sid = smb_sid_fromstr(sim.sim_domsid); if (sim.sim_sid == NULL) return (IDMAP_ERR_INTERNAL); *sid = smb_sid_splice(sim.sim_sid, sim.sim_rid); smb_sid_free(sim.sim_sid); if (*sid == NULL) sim.sim_stat = IDMAP_ERR_INTERNAL; return (sim.sim_stat); } /* * smb_idmap_getid * * Maps the given Windows SID to a Unix ID using the * simple mapping API. */ idmap_stat smb_idmap_getid(smb_sid_t *sid, uid_t *id, int *idtype) { smb_idmap_t sim; char sidstr[SMB_SID_STRSZ]; smb_sid_tostr(sid, sidstr); if (smb_sid_splitstr(sidstr, &sim.sim_rid) != 0) return (IDMAP_ERR_SID); sim.sim_domsid = sidstr; sim.sim_id = id; switch (*idtype) { case SMB_IDMAP_USER: sim.sim_stat = kidmap_getuidbysid(global_zone, sim.sim_domsid, sim.sim_rid, sim.sim_id); break; case SMB_IDMAP_GROUP: sim.sim_stat = kidmap_getgidbysid(global_zone, sim.sim_domsid, sim.sim_rid, sim.sim_id); break; case SMB_IDMAP_UNKNOWN: sim.sim_stat = kidmap_getpidbysid(global_zone, sim.sim_domsid, sim.sim_rid, sim.sim_id, &sim.sim_idtype); break; default: ASSERT(0); return (IDMAP_ERR_ARG); } *idtype = sim.sim_idtype; return (sim.sim_stat); } /* * smb_idmap_batch_create * * Creates and initializes the context for batch ID mapping. */ idmap_stat smb_idmap_batch_create(smb_idmap_batch_t *sib, uint16_t nmap, int flags) { ASSERT(sib != NULL); bzero(sib, sizeof (smb_idmap_batch_t)); sib->sib_idmaph = kidmap_get_create(global_zone); sib->sib_flags = flags; sib->sib_nmap = nmap; sib->sib_size = nmap * sizeof (smb_idmap_t); sib->sib_maps = kmem_zalloc(sib->sib_size, KM_SLEEP); return (IDMAP_SUCCESS); } /* * smb_idmap_batch_destroy * * Frees the batch ID mapping context. * If ID mapping is Solaris -> Windows it frees memories * allocated for binary SIDs. */ void smb_idmap_batch_destroy(smb_idmap_batch_t *sib) { char *domsid; int i; ASSERT(sib != NULL); ASSERT(sib->sib_maps != NULL); if (sib->sib_idmaph) { kidmap_get_destroy(sib->sib_idmaph); sib->sib_idmaph = NULL; } if (sib->sib_flags & SMB_IDMAP_ID2SID) { /* * SIDs are allocated only when mapping * UID/GID to SIDs */ for (i = 0; i < sib->sib_nmap; i++) smb_sid_free(sib->sib_maps[i].sim_sid); } else if (sib->sib_flags & SMB_IDMAP_SID2ID) { /* * SID prefixes are allocated only when mapping * SIDs to UID/GID */ for (i = 0; i < sib->sib_nmap; i++) { domsid = sib->sib_maps[i].sim_domsid; if (domsid) smb_mem_free(domsid); } } if (sib->sib_size && sib->sib_maps) { kmem_free(sib->sib_maps, sib->sib_size); sib->sib_maps = NULL; } } /* * smb_idmap_batch_getid * * Queue a request to map the given SID to a UID or GID. * * sim->sim_id should point to variable that's supposed to * hold the returned UID/GID. This needs to be setup by caller * of this function. * * If requested ID type is known, it's passed as 'idtype', * if it's unknown it'll be returned in sim->sim_idtype. */ idmap_stat smb_idmap_batch_getid(idmap_get_handle_t *idmaph, smb_idmap_t *sim, smb_sid_t *sid, int idtype) { char strsid[SMB_SID_STRSZ]; idmap_stat idm_stat; ASSERT(idmaph != NULL); ASSERT(sim != NULL); ASSERT(sid != NULL); smb_sid_tostr(sid, strsid); if (smb_sid_splitstr(strsid, &sim->sim_rid) != 0) return (IDMAP_ERR_SID); /* Note: Free sim_domsid in smb_idmap_batch_destroy */ sim->sim_domsid = smb_mem_strdup(strsid); sim->sim_idtype = idtype; switch (idtype) { case SMB_IDMAP_USER: idm_stat = kidmap_batch_getuidbysid(idmaph, sim->sim_domsid, sim->sim_rid, sim->sim_id, &sim->sim_stat); break; case SMB_IDMAP_GROUP: idm_stat = kidmap_batch_getgidbysid(idmaph, sim->sim_domsid, sim->sim_rid, sim->sim_id, &sim->sim_stat); break; case SMB_IDMAP_UNKNOWN: idm_stat = kidmap_batch_getpidbysid(idmaph, sim->sim_domsid, sim->sim_rid, sim->sim_id, &sim->sim_idtype, &sim->sim_stat); break; default: ASSERT(0); return (IDMAP_ERR_ARG); } return (idm_stat); } /* * smb_idmap_batch_getsid * * Queue a request to map the given UID/GID to a SID. * * sim->sim_domsid and sim->sim_rid will contain the mapping * result upon successful process of the batched request. * Stash the type for error reporting (caller saves the ID). */ idmap_stat smb_idmap_batch_getsid(idmap_get_handle_t *idmaph, smb_idmap_t *sim, uid_t id, int idtype) { idmap_stat idm_stat; sim->sim_idtype = idtype; switch (idtype) { case SMB_IDMAP_USER: idm_stat = kidmap_batch_getsidbyuid(idmaph, id, (const char **)&sim->sim_domsid, &sim->sim_rid, &sim->sim_stat); break; case SMB_IDMAP_GROUP: idm_stat = kidmap_batch_getsidbygid(idmaph, id, (const char **)&sim->sim_domsid, &sim->sim_rid, &sim->sim_stat); break; case SMB_IDMAP_OWNERAT: /* Current Owner S-1-5-32-766 */ sim->sim_domsid = NT_BUILTIN_DOMAIN_SIDSTR; sim->sim_rid = SECURITY_CURRENT_OWNER_RID; sim->sim_stat = IDMAP_SUCCESS; idm_stat = IDMAP_SUCCESS; break; case SMB_IDMAP_GROUPAT: /* Current Group S-1-5-32-767 */ sim->sim_domsid = NT_BUILTIN_DOMAIN_SIDSTR; sim->sim_rid = SECURITY_CURRENT_GROUP_RID; sim->sim_stat = IDMAP_SUCCESS; idm_stat = IDMAP_SUCCESS; break; case SMB_IDMAP_EVERYONE: /* Everyone S-1-1-0 */ sim->sim_domsid = NT_WORLD_AUTH_SIDSTR; sim->sim_rid = 0; sim->sim_stat = IDMAP_SUCCESS; idm_stat = IDMAP_SUCCESS; break; default: ASSERT(0); return (IDMAP_ERR_ARG); } return (idm_stat); } static void smb_idmap_bgm_report(smb_idmap_batch_t *sib, smb_idmap_t *sim) { if ((sib->sib_flags & SMB_IDMAP_ID2SID) != 0) { /* * Note: The ID and type we asked idmap to map * were saved in *sim_id and sim_idtype. */ uint_t id = (sim->sim_id == NULL) ? 0 : (uint_t)*sim->sim_id; cmn_err(CE_WARN, "Can't get SID for " "ID=%u type=%d, status=%d", id, sim->sim_idtype, sim->sim_stat); } if ((sib->sib_flags & SMB_IDMAP_SID2ID) != 0) { cmn_err(CE_WARN, "Can't get ID for SID %s-%u, status=%d", sim->sim_domsid, sim->sim_rid, sim->sim_stat); } } /* * smb_idmap_batch_getmappings * * trigger ID mapping service to get the mappings for queued * requests. * * Checks the result of all the queued requests. * If this is a Solaris -> Windows mapping it generates * binary SIDs from returned (domsid, rid) pairs. */ idmap_stat smb_idmap_batch_getmappings(smb_idmap_batch_t *sib) { idmap_stat idm_stat = IDMAP_SUCCESS; smb_idmap_t *sim; int i; idm_stat = kidmap_get_mappings(sib->sib_idmaph); if (idm_stat != IDMAP_SUCCESS) return (idm_stat); /* * Check the status for all the queued requests */ for (i = 0, sim = sib->sib_maps; i < sib->sib_nmap; i++, sim++) { if (sim->sim_stat != IDMAP_SUCCESS) { smb_idmap_bgm_report(sib, sim); if ((sib->sib_flags & SMB_IDMAP_SKIP_ERRS) == 0) { return (sim->sim_stat); } } } if (smb_idmap_batch_binsid(sib) != 0) idm_stat = IDMAP_ERR_OTHER; return (idm_stat); } /* * smb_idmap_batch_binsid * * Convert sidrids to binary sids * * Returns 0 if successful and non-zero upon failure. */ static int smb_idmap_batch_binsid(smb_idmap_batch_t *sib) { smb_sid_t *sid; smb_idmap_t *sim; int i; if (sib->sib_flags & SMB_IDMAP_SID2ID) /* This operation is not required */ return (0); sim = sib->sib_maps; for (i = 0; i < sib->sib_nmap; sim++, i++) { ASSERT(sim->sim_domsid != NULL); if (sim->sim_domsid == NULL) return (1); if ((sid = smb_sid_fromstr(sim->sim_domsid)) == NULL) return (1); sim->sim_sid = smb_sid_splice(sid, sim->sim_rid); smb_sid_free(sid); } return (0); }