1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <unistd.h>
26 #include <strings.h>
27 #include <pwd.h>
28 #include <grp.h>
29 #include <time.h>
30 #include <syslog.h>
31 #include <assert.h>
32 #include <synch.h>
33
34 #include <smbsrv/libsmb.h>
35 #include <smbsrv/libmlsvc.h>
36
37 #include <smbsrv/smbinfo.h>
38 #include <smbsrv/smb_token.h>
39 #include <lsalib.h>
40
41 static smb_account_t smb_guest;
42 static smb_account_t smb_domusers;
43 static rwlock_t smb_logoninit_rwl;
44
45 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
46
47 extern void smb_logon_domain(smb_logon_t *, smb_token_t *);
48 static void smb_logon_local(smb_logon_t *, smb_token_t *);
49 static void smb_logon_guest(smb_logon_t *, smb_token_t *);
50 static void smb_logon_anon(smb_logon_t *, smb_token_t *);
51
52 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
53 smb_passwd_t *);
54
55 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
56 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
57 static uint32_t smb_token_setup_anon(smb_token_t *token);
58
59 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
60 static uint32_t smb_token_setup_wingrps(smb_token_t *);
61 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
62
63 static void smb_guest_account(char *, size_t);
64
65 /* Consolidation private function from Network Repository */
66 extern int _getgroupsbymember(const char *, gid_t[], int, int);
67
68 static idmap_stat
smb_token_idmap(smb_token_t * token,smb_idmap_batch_t * sib)69 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
70 {
71 idmap_stat stat;
72 smb_idmap_t *sim;
73 smb_id_t *id;
74 int i;
75
76 if (!token || !sib)
77 return (IDMAP_ERR_ARG);
78
79 sim = sib->sib_maps;
80
81 if (token->tkn_flags & SMB_ATF_ANON) {
82 token->tkn_user.i_id = UID_NOBODY;
83 token->tkn_owner.i_id = UID_NOBODY;
84 } else {
85 /* User SID */
86 id = &token->tkn_user;
87 sim->sim_id = &id->i_id;
88 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
89 id->i_sid, SMB_IDMAP_USER);
90
91 if (stat != IDMAP_SUCCESS)
92 return (stat);
93
94 /* Owner SID */
95 id = &token->tkn_owner;
96 sim->sim_id = &id->i_id;
97 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
98 id->i_sid, SMB_IDMAP_USER);
99
100 if (stat != IDMAP_SUCCESS)
101 return (stat);
102 }
103
104 /* Primary Group SID */
105 id = &token->tkn_primary_grp;
106 sim->sim_id = &id->i_id;
107 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
108 SMB_IDMAP_GROUP);
109
110 if (stat != IDMAP_SUCCESS)
111 return (stat);
112
113 /* Other Windows Group SIDs */
114 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
115 id = &token->tkn_win_grps.i_ids[i];
116 sim->sim_id = &id->i_id;
117 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
118 id->i_sid, SMB_IDMAP_GROUP);
119
120 if (stat != IDMAP_SUCCESS)
121 break;
122 }
123
124 return (stat);
125 }
126
127 /*
128 * smb_token_sids2ids
129 *
130 * This will map all the SIDs of the access token to UIDs/GIDs.
131 *
132 * Returns 0 upon success. Otherwise, returns -1.
133 */
134 static int
smb_token_sids2ids(smb_token_t * token)135 smb_token_sids2ids(smb_token_t *token)
136 {
137 idmap_stat stat;
138 int nmaps;
139 smb_idmap_batch_t sib;
140
141 /*
142 * Number of idmap lookups: user SID, owner SID, primary group SID,
143 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
144 */
145 if (token->tkn_flags & SMB_ATF_ANON)
146 nmaps = token->tkn_win_grps.i_cnt + 1;
147 else
148 nmaps = token->tkn_win_grps.i_cnt + 3;
149
150 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
151 if (stat != IDMAP_SUCCESS)
152 return (-1);
153
154 stat = smb_token_idmap(token, &sib);
155 if (stat != IDMAP_SUCCESS) {
156 smb_idmap_batch_destroy(&sib);
157 return (-1);
158 }
159
160 stat = smb_idmap_batch_getmappings(&sib);
161 smb_idmap_batch_destroy(&sib);
162 smb_idmap_check("smb_idmap_batch_getmappings", stat);
163
164 return (stat == IDMAP_SUCCESS ? 0 : -1);
165 }
166
167 /*
168 * smb_token_create_pxgrps
169 *
170 * Setup the POSIX group membership of the access token if the given UID is
171 * a POSIX UID (non-ephemeral). Both the user's primary group and
172 * supplementary groups will be added to the POSIX group array of the access
173 * token.
174 */
175 static smb_posix_grps_t *
smb_token_create_pxgrps(uid_t uid)176 smb_token_create_pxgrps(uid_t uid)
177 {
178 struct passwd *pwd;
179 smb_posix_grps_t *pgrps;
180 int ngroups_max, num;
181 gid_t *gids;
182
183 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
184 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
185 return (NULL);
186 }
187
188 pwd = getpwuid(uid);
189 if (pwd == NULL) {
190 pgrps = malloc(sizeof (smb_posix_grps_t));
191 if (pgrps == NULL)
192 return (NULL);
193
194 pgrps->pg_ngrps = 0;
195 return (pgrps);
196 }
197
198 if (pwd->pw_name == NULL) {
199 pgrps = malloc(sizeof (smb_posix_grps_t));
200 if (pgrps == NULL)
201 return (NULL);
202
203 pgrps->pg_ngrps = 1;
204 pgrps->pg_grps[0] = pwd->pw_gid;
205 return (pgrps);
206 }
207
208 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
209 if (gids == NULL) {
210 return (NULL);
211 }
212 bzero(gids, ngroups_max * sizeof (gid_t));
213
214 gids[0] = pwd->pw_gid;
215
216 /*
217 * Setup the groups starting at index 1 (the last arg)
218 * of gids array.
219 */
220 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
221
222 if (num == -1) {
223 syslog(LOG_ERR, "smb_logon: unable "
224 "to get user's supplementary groups");
225 num = 1;
226 }
227
228 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
229 if (pgrps) {
230 pgrps->pg_ngrps = num;
231 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
232 }
233
234 free(gids);
235 return (pgrps);
236 }
237
238 /*
239 * smb_token_destroy
240 *
241 * Release all of the memory associated with a token structure. Ensure
242 * that the token has been unlinked before calling.
243 */
244 void
smb_token_destroy(smb_token_t * token)245 smb_token_destroy(smb_token_t *token)
246 {
247 if (token != NULL) {
248 smb_sid_free(token->tkn_user.i_sid);
249 smb_sid_free(token->tkn_owner.i_sid);
250 smb_sid_free(token->tkn_primary_grp.i_sid);
251 smb_ids_free(&token->tkn_win_grps);
252 smb_privset_free(token->tkn_privileges);
253 free(token->tkn_posix_grps);
254 free(token->tkn_account_name);
255 free(token->tkn_domain_name);
256 free(token->tkn_session_key);
257 bzero(token, sizeof (smb_token_t));
258 free(token);
259 }
260 }
261
262 /*
263 * Token owner should be set to local Administrators group
264 * in two cases:
265 * 1. The logged on user is a member of Domain Admins group
266 * 2. he/she is a member of local Administrators group
267 */
268 static void
smb_token_set_owner(smb_token_t * token)269 smb_token_set_owner(smb_token_t *token)
270 {
271 #ifdef SMB_SUPPORT_GROUP_OWNER
272 smb_sid_t *owner_sid;
273
274 if (token->tkn_flags & SMB_ATF_ADMIN) {
275 owner_sid = smb_wka_get_sid("Administrators");
276 assert(owner_sid);
277 } else {
278 owner_sid = token->tkn_user->i_sid;
279 }
280
281 token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
282 #endif
283 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
284 }
285
286 static smb_privset_t *
smb_token_create_privs(smb_token_t * token)287 smb_token_create_privs(smb_token_t *token)
288 {
289 smb_privset_t *privs;
290 smb_giter_t gi;
291 smb_group_t grp;
292 int rc;
293
294 privs = smb_privset_new();
295 if (privs == NULL)
296 return (NULL);
297
298 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
299 smb_privset_free(privs);
300 return (NULL);
301 }
302
303 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
304 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
305 smb_privset_merge(privs, grp.sg_privs);
306 smb_lgrp_free(&grp);
307 }
308 smb_lgrp_iterclose(&gi);
309
310 if (token->tkn_flags & SMB_ATF_ADMIN) {
311 char admgrp[] = "Administrators";
312
313 rc = smb_lgrp_getbyname(admgrp, &grp);
314 if (rc == SMB_LGRP_SUCCESS) {
315 smb_privset_merge(privs, grp.sg_privs);
316 smb_lgrp_free(&grp);
317 }
318
319 /*
320 * This privilege is required to view/edit SACL
321 */
322 smb_privset_enable(privs, SE_SECURITY_LUID);
323 }
324
325 return (privs);
326 }
327
328 static void
smb_token_set_flags(smb_token_t * token)329 smb_token_set_flags(smb_token_t *token)
330 {
331 if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
332 token->tkn_flags |= SMB_ATF_ADMIN;
333
334 if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
335 token->tkn_flags |= SMB_ATF_POWERUSER;
336
337 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
338 token->tkn_flags |= SMB_ATF_BACKUPOP;
339 }
340
341 /*
342 * Common token setup for both local and domain users.
343 * This function must be called after the initial setup
344 * has been done.
345 *
346 * Note that the order of calls in this function are important.
347 */
348 static boolean_t
smb_token_setup_common(smb_token_t * token)349 smb_token_setup_common(smb_token_t *token)
350 {
351 smb_token_set_flags(token);
352
353 smb_token_set_owner(token);
354 if (token->tkn_owner.i_sid == NULL)
355 return (B_FALSE);
356
357 /* Privileges */
358 token->tkn_privileges = smb_token_create_privs(token);
359 if (token->tkn_privileges == NULL)
360 return (B_FALSE);
361
362 if (smb_token_sids2ids(token) != 0) {
363 syslog(LOG_ERR, "%s\\%s: idmap failed",
364 token->tkn_domain_name, token->tkn_account_name);
365 return (B_FALSE);
366 }
367
368 /* Solaris Groups */
369 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
370
371 return (smb_token_valid(token));
372 }
373
374 uint32_t
smb_logon_init(void)375 smb_logon_init(void)
376 {
377 uint32_t status;
378
379 (void) rw_wrlock(&smb_logoninit_rwl);
380 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
381 if (status != NT_STATUS_SUCCESS) {
382 (void) rw_unlock(&smb_logoninit_rwl);
383 return (status);
384 }
385
386 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
387 &smb_domusers);
388 if (status != NT_STATUS_SUCCESS) {
389 smb_account_free(&smb_guest);
390 bzero(&smb_guest, sizeof (smb_account_t));
391 (void) rw_unlock(&smb_logoninit_rwl);
392 return (status);
393 }
394
395 (void) rw_unlock(&smb_logoninit_rwl);
396 return (status);
397 }
398
399 void
smb_logon_fini(void)400 smb_logon_fini(void)
401 {
402 (void) rw_wrlock(&smb_logoninit_rwl);
403 smb_account_free(&smb_guest);
404 smb_account_free(&smb_domusers);
405 bzero(&smb_guest, sizeof (smb_account_t));
406 bzero(&smb_domusers, sizeof (smb_account_t));
407 (void) rw_unlock(&smb_logoninit_rwl);
408 }
409
410 /*
411 * Perform user authentication.
412 *
413 * The dispatched functions must only update the user_info status if they
414 * attempt to authenticate the user.
415 *
416 * On success, a pointer to a new access token is returned.
417 */
418 smb_token_t *
smb_logon(smb_logon_t * user_info)419 smb_logon(smb_logon_t *user_info)
420 {
421 static smb_logonop_t ops[] = {
422 smb_logon_anon,
423 smb_logon_local,
424 smb_logon_domain,
425 smb_logon_guest
426 };
427 smb_token_t *token = NULL;
428 smb_domain_t domain;
429 int n_op = (sizeof (ops) / sizeof (ops[0]));
430 int i;
431
432 user_info->lg_secmode = smb_config_get_secmode();
433 user_info->lg_status = NT_STATUS_NO_SUCH_USER;
434
435 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
436 user_info->lg_domain_type = domain.di_type;
437 else
438 user_info->lg_domain_type = SMB_DOMAIN_NULL;
439
440 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
441 syslog(LOG_ERR, "logon[%s\\%s]: %m",
442 user_info->lg_e_domain, user_info->lg_e_username);
443 return (NULL);
444 }
445
446 for (i = 0; i < n_op; ++i) {
447 (*ops[i])(user_info, token);
448
449 if (user_info->lg_status == NT_STATUS_SUCCESS)
450 break;
451 }
452
453 if (user_info->lg_status == NT_STATUS_SUCCESS) {
454 if (smb_token_setup_common(token))
455 return (token);
456 }
457
458 smb_token_destroy(token);
459 return (NULL);
460 }
461
462 /*
463 * If the user has an entry in the local database, attempt local authentication.
464 *
465 * In domain mode, we try to exclude domain accounts, which we do by only
466 * accepting local or null (blank) domain names here. Some clients (Mac OS)
467 * don't always send the domain name.
468 *
469 * If we are not going to attempt authentication, this function must return
470 * without updating the status.
471 */
472 static void
smb_logon_local(smb_logon_t * user_info,smb_token_t * token)473 smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
474 {
475 char guest[SMB_USERNAME_MAXLEN];
476 smb_passwd_t smbpw;
477 uint32_t status;
478 boolean_t isguest;
479
480 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
481 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
482 (user_info->lg_domain_type != SMB_DOMAIN_NULL))
483 return;
484 }
485
486 smb_guest_account(guest, SMB_USERNAME_MAXLEN);
487 isguest = (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0);
488
489 status = smb_token_auth_local(user_info, token, &smbpw);
490 if (status == NT_STATUS_SUCCESS) {
491 if (isguest)
492 status = smb_token_setup_guest(user_info, token);
493 else
494 status = smb_token_setup_local(&smbpw, token);
495 }
496
497 user_info->lg_status = status;
498 }
499
500 /*
501 * Guest authentication. This may be a local guest account or the guest
502 * account may be mapped to a local account. These accounts are regular
503 * accounts with normal password protection.
504 *
505 * Only proceed with a guest logon if previous logon options have resulted
506 * in NO_SUCH_USER.
507 *
508 * If we are not going to attempt authentication, this function must return
509 * without updating the status.
510 */
511 static void
smb_logon_guest(smb_logon_t * user_info,smb_token_t * token)512 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
513 {
514 char guest[SMB_USERNAME_MAXLEN];
515 smb_passwd_t smbpw;
516 char *temp;
517 uint32_t status;
518
519 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
520 return;
521
522 smb_guest_account(guest, SMB_USERNAME_MAXLEN);
523 temp = user_info->lg_e_username;
524 user_info->lg_e_username = guest;
525
526 status = smb_token_auth_local(user_info, token, &smbpw);
527 if ((status == NT_STATUS_SUCCESS) ||
528 (status == NT_STATUS_NO_SUCH_USER)) {
529 status = smb_token_setup_guest(user_info, token);
530 }
531
532 user_info->lg_e_username = temp;
533 user_info->lg_status = status;
534 }
535
536 /*
537 * If user_info represents an anonymous user then setup the token.
538 * Otherwise return without updating the status.
539 */
540 static void
smb_logon_anon(smb_logon_t * user_info,smb_token_t * token)541 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
542 {
543 if (user_info->lg_flags & SMB_ATF_ANON)
544 user_info->lg_status = smb_token_setup_anon(token);
545 }
546
547 /*
548 * Try both LM hash and NT hashes with user's password(s) to authenticate
549 * the user.
550 */
551 static uint32_t
smb_token_auth_local(smb_logon_t * user_info,smb_token_t * token,smb_passwd_t * smbpw)552 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
553 smb_passwd_t *smbpw)
554 {
555 boolean_t lm_ok, nt_ok;
556 uint32_t status = NT_STATUS_SUCCESS;
557
558 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
559 return (NT_STATUS_NO_SUCH_USER);
560
561 if (smbpw->pw_flags & SMB_PWF_DISABLE)
562 return (NT_STATUS_ACCOUNT_DISABLED);
563
564 nt_ok = lm_ok = B_FALSE;
565 if ((smbpw->pw_flags & SMB_PWF_LM) &&
566 (user_info->lg_lm_password.len != 0)) {
567 lm_ok = smb_auth_validate_lm(
568 user_info->lg_challenge_key.val,
569 user_info->lg_challenge_key.len,
570 smbpw,
571 user_info->lg_lm_password.val,
572 user_info->lg_lm_password.len,
573 user_info->lg_domain,
574 user_info->lg_username);
575 token->tkn_session_key = NULL;
576 }
577
578 if (!lm_ok && (user_info->lg_nt_password.len != 0)) {
579 token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ);
580 if (token->tkn_session_key == NULL)
581 return (NT_STATUS_NO_MEMORY);
582 nt_ok = smb_auth_validate_nt(
583 user_info->lg_challenge_key.val,
584 user_info->lg_challenge_key.len,
585 smbpw,
586 user_info->lg_nt_password.val,
587 user_info->lg_nt_password.len,
588 user_info->lg_domain,
589 user_info->lg_username,
590 (uchar_t *)token->tkn_session_key);
591 }
592
593 if (!nt_ok && !lm_ok) {
594 status = NT_STATUS_WRONG_PASSWORD;
595 syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
596 user_info->lg_e_domain, user_info->lg_e_username,
597 xlate_nt_status(status));
598 }
599
600 return (status);
601 }
602
603 /*
604 * Setup an access token for the specified local user.
605 */
606 static uint32_t
smb_token_setup_local(smb_passwd_t * smbpw,smb_token_t * token)607 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
608 {
609 idmap_stat stat;
610 smb_idmap_batch_t sib;
611 smb_idmap_t *umap, *gmap;
612 struct passwd pw;
613 char pwbuf[1024];
614 char nbname[NETBIOS_NAME_SZ];
615
616 (void) smb_getnetbiosname(nbname, sizeof (nbname));
617 token->tkn_account_name = strdup(smbpw->pw_name);
618 token->tkn_domain_name = strdup(nbname);
619
620 if (token->tkn_account_name == NULL ||
621 token->tkn_domain_name == NULL)
622 return (NT_STATUS_NO_MEMORY);
623
624 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
625 return (NT_STATUS_NO_SUCH_USER);
626
627 /* Get the SID for user's uid & gid */
628 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
629 if (stat != IDMAP_SUCCESS)
630 return (NT_STATUS_INTERNAL_ERROR);
631
632 umap = &sib.sib_maps[0];
633 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
634 SMB_IDMAP_USER);
635
636 if (stat != IDMAP_SUCCESS) {
637 smb_idmap_batch_destroy(&sib);
638 return (NT_STATUS_INTERNAL_ERROR);
639 }
640
641 gmap = &sib.sib_maps[1];
642 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
643 SMB_IDMAP_GROUP);
644
645 if (stat != IDMAP_SUCCESS) {
646 smb_idmap_batch_destroy(&sib);
647 return (NT_STATUS_INTERNAL_ERROR);
648 }
649
650 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
651 return (NT_STATUS_INTERNAL_ERROR);
652
653 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
654 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
655
656 smb_idmap_batch_destroy(&sib);
657
658 if (token->tkn_user.i_sid == NULL ||
659 token->tkn_primary_grp.i_sid == NULL)
660 return (NT_STATUS_NO_MEMORY);
661
662 return (smb_token_setup_wingrps(token));
663 }
664
665 /*
666 * Setup access token for guest connections
667 */
668 static uint32_t
smb_token_setup_guest(smb_logon_t * user_info,smb_token_t * token)669 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
670 {
671 token->tkn_account_name = strdup(user_info->lg_e_username);
672
673 (void) rw_rdlock(&smb_logoninit_rwl);
674 token->tkn_domain_name = strdup(smb_guest.a_domain);
675 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
676 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
677 (void) rw_unlock(&smb_logoninit_rwl);
678 token->tkn_flags = SMB_ATF_GUEST;
679
680 if (token->tkn_account_name == NULL ||
681 token->tkn_domain_name == NULL ||
682 token->tkn_user.i_sid == NULL ||
683 token->tkn_primary_grp.i_sid == NULL)
684 return (NT_STATUS_NO_MEMORY);
685
686 return (smb_token_setup_wingrps(token));
687 }
688
689 /*
690 * Setup access token for anonymous connections
691 */
692 static uint32_t
smb_token_setup_anon(smb_token_t * token)693 smb_token_setup_anon(smb_token_t *token)
694 {
695 smb_sid_t *user_sid;
696
697 token->tkn_account_name = strdup("Anonymous");
698 token->tkn_domain_name = strdup("NT Authority");
699 user_sid = smb_wka_get_sid("Anonymous");
700 token->tkn_user.i_sid = smb_sid_dup(user_sid);
701 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
702 token->tkn_flags = SMB_ATF_ANON;
703
704 if (token->tkn_account_name == NULL ||
705 token->tkn_domain_name == NULL ||
706 token->tkn_user.i_sid == NULL ||
707 token->tkn_primary_grp.i_sid == NULL)
708 return (NT_STATUS_NO_MEMORY);
709
710 return (smb_token_setup_wingrps(token));
711 }
712
713 /*
714 * smb_token_user_sid
715 *
716 * Return a pointer to the user SID in the specified token. A null
717 * pointer indicates an error.
718 */
719 static smb_sid_t *
smb_token_user_sid(smb_token_t * token)720 smb_token_user_sid(smb_token_t *token)
721 {
722 return ((token) ? token->tkn_user.i_sid : NULL);
723 }
724
725 /*
726 * smb_token_group_sid
727 *
728 * Return a pointer to the group SID as indicated by the iterator.
729 * Setting the iterator to 0 before calling this function will return
730 * the first group, which will always be the primary group. The
731 * iterator will be incremented before returning the SID so that this
732 * function can be used to cycle through the groups. The caller can
733 * adjust the iterator as required between calls to obtain any specific
734 * group.
735 *
736 * On success a pointer to the appropriate group SID will be returned.
737 * Otherwise a null pointer will be returned.
738 */
739 static smb_sid_t *
smb_token_group_sid(smb_token_t * token,int * iterator)740 smb_token_group_sid(smb_token_t *token, int *iterator)
741 {
742 int index;
743
744 if (token == NULL || iterator == NULL)
745 return (NULL);
746
747 if (token->tkn_win_grps.i_ids == NULL)
748 return (NULL);
749
750 index = *iterator;
751
752 if (index < 0 || index >= token->tkn_win_grps.i_cnt)
753 return (NULL);
754
755 ++(*iterator);
756 return (token->tkn_win_grps.i_ids[index].i_sid);
757 }
758
759 /*
760 * smb_token_is_member
761 *
762 * This function will determine whether or not the specified SID is a
763 * member of a token. The user SID and all group SIDs are tested.
764 * Returns 1 if the SID is a member of the token. Otherwise returns 0.
765 */
766 static boolean_t
smb_token_is_member(smb_token_t * token,smb_sid_t * sid)767 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
768 {
769 smb_sid_t *tsid;
770 int iterator = 0;
771
772 if (token == NULL || sid == NULL)
773 return (B_FALSE);
774
775 tsid = smb_token_user_sid(token);
776 while (tsid) {
777 if (smb_sid_cmp(tsid, sid))
778 return (B_TRUE);
779
780 tsid = smb_token_group_sid(token, &iterator);
781 }
782
783 return (B_FALSE);
784 }
785
786 /*
787 * smb_token_log
788 *
789 * Diagnostic routine to write the contents of a token to the log.
790 */
791 void
smb_token_log(smb_token_t * token)792 smb_token_log(smb_token_t *token)
793 {
794 smb_ids_t *w_grps;
795 smb_id_t *grp;
796 smb_posix_grps_t *x_grps;
797 char sidstr[SMB_SID_STRSZ];
798 int i;
799
800 if (token == NULL)
801 return;
802
803 syslog(LOG_DEBUG, "Token for %s\\%s",
804 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
805 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
806
807 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs);
808 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
809 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr,
810 token->tkn_user.i_id);
811
812 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
813 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)",
814 sidstr, token->tkn_owner.i_id);
815
816 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
817 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)",
818 sidstr, token->tkn_primary_grp.i_id);
819
820 w_grps = &token->tkn_win_grps;
821 if (w_grps->i_ids) {
822 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt);
823 grp = w_grps->i_ids;
824 for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
825 syslog(LOG_DEBUG,
826 " Grp[%d].Attr:%d", i, grp->i_attrs);
827 if (grp->i_sid != NULL) {
828 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
829 syslog(LOG_DEBUG,
830 " Grp[%d].Sid: %s (id=%u)", i, sidstr,
831 grp->i_id);
832 }
833 }
834 } else {
835 syslog(LOG_DEBUG, " No Windows groups");
836 }
837
838 x_grps = token->tkn_posix_grps;
839 if (x_grps) {
840 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps);
841 for (i = 0; i < x_grps->pg_ngrps; i++)
842 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]);
843 } else {
844 syslog(LOG_DEBUG, " No Solaris groups");
845 }
846
847 if (token->tkn_privileges)
848 smb_privset_log(token->tkn_privileges);
849 else
850 syslog(LOG_DEBUG, " No privileges");
851 }
852
853 /*
854 * Sets up local and well-known group membership for the given
855 * token. Two assumptions have been made here:
856 *
857 * a) token already contains a valid user SID so that group
858 * memberships can be established
859 *
860 * b) token belongs to a local or anonymous user
861 */
862 static uint32_t
smb_token_setup_wingrps(smb_token_t * token)863 smb_token_setup_wingrps(smb_token_t *token)
864 {
865 smb_ids_t tkn_grps;
866 uint32_t status;
867
868
869 /*
870 * We always want the user's primary group in the list
871 * of groups.
872 */
873 tkn_grps.i_cnt = 1;
874 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
875 return (NT_STATUS_NO_MEMORY);
876
877 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
878 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
879 if (tkn_grps.i_ids->i_sid == NULL) {
880 smb_ids_free(&tkn_grps);
881 return (NT_STATUS_NO_MEMORY);
882 }
883
884 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
885 if (status != NT_STATUS_SUCCESS) {
886 smb_ids_free(&tkn_grps);
887 return (status);
888 }
889
890 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
891 if (status != NT_STATUS_SUCCESS) {
892 smb_ids_free(&tkn_grps);
893 return (status);
894 }
895
896 token->tkn_win_grps = tkn_grps;
897 return (status);
898 }
899
900 /*
901 * Returns the guest account name in the provided buffer.
902 *
903 * By default the name would be "guest" unless there's
904 * a idmap name-based rule which maps the guest to a local
905 * Solaris user in which case the name of that user is
906 * returned.
907 */
908 static void
smb_guest_account(char * guest,size_t buflen)909 smb_guest_account(char *guest, size_t buflen)
910 {
911 idmap_stat stat;
912 uid_t guest_uid;
913 struct passwd pw;
914 char pwbuf[1024];
915 int idtype;
916
917 /* default Guest account name */
918 (void) rw_rdlock(&smb_logoninit_rwl);
919 (void) strlcpy(guest, smb_guest.a_name, buflen);
920
921 idtype = SMB_IDMAP_USER;
922 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
923 (void) rw_unlock(&smb_logoninit_rwl);
924
925 if (stat != IDMAP_SUCCESS)
926 return;
927
928 /* If Ephemeral ID return the default name */
929 if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
930 return;
931
932 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
933 return;
934
935 (void) strlcpy(guest, pw.pw_name, buflen);
936 }
937