xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/mlsvc_util.c (revision 4c28a617e3922d92a58e813a5b955eb526b9c386)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
24  */
25 
26 /*
27  * Utility functions to support the RPC interface library.
28  */
29 
30 #include <stdio.h>
31 #include <stdarg.h>
32 #include <strings.h>
33 #include <unistd.h>
34 #include <netdb.h>
35 #include <stdlib.h>
36 #include <sys/time.h>
37 #include <sys/systm.h>
38 #include <note.h>
39 #include <syslog.h>
40 
41 #include <smbsrv/libsmb.h>
42 #include <smbsrv/libsmbns.h>
43 #include <smbsrv/libmlsvc.h>
44 #include <smbsrv/ntaccess.h>
45 #include <smbsrv/smbinfo.h>
46 #include <smbsrv/netrauth.h>
47 #include <libsmbrdr.h>
48 #include <lsalib.h>
49 #include <samlib.h>
50 #include <mlsvc.h>
51 
52 static DWORD
53 mlsvc_join_rpc(smb_domainex_t *dxi,
54 	char *admin_user, char *admin_pw,
55 	char *machine_name, char *machine_pw);
56 static DWORD
57 mlsvc_join_noauth(smb_domainex_t *dxi,
58 	char *machine_name, char *machine_pw);
59 
60 
61 DWORD
62 mlsvc_netlogon(char *server, char *domain)
63 {
64 	mlsvc_handle_t netr_handle;
65 	DWORD status;
66 
67 	status = netr_open(server, domain, &netr_handle);
68 	if (status != 0) {
69 		syslog(LOG_NOTICE, "Failed to connect to %s "
70 		    "for domain %s (%s)", server, domain,
71 		    xlate_nt_status(status));
72 		return (status);
73 	}
74 
75 	status = netlogon_auth(server, &netr_handle, NETR_FLG_INIT);
76 	if (status != NT_STATUS_SUCCESS) {
77 		syslog(LOG_NOTICE, "Failed to establish NETLOGON "
78 		    "credential chain with DC: %s (%s)", server,
79 		    xlate_nt_status(status));
80 		syslog(LOG_NOTICE, "The machine account information on the "
81 		    "domain controller does not match the local storage.");
82 		syslog(LOG_NOTICE, "To correct this, use 'smbadm join'");
83 	}
84 	(void) netr_close(&netr_handle);
85 
86 	return (status);
87 }
88 
89 /*
90  * Join the specified domain.  The method varies depending on whether
91  * we're using "secure join" (using an administrative account to join)
92  * or "unsecure join" (using a pre-created machine account).  In the
93  * latter case, the machine account is created "by hand" before this
94  * machine attempts to join, and we just change the password from the
95  * (weak) default password for a new machine account to a random one.
96  *
97  * Returns NT status codes.
98  */
99 void
100 mlsvc_join(smb_joininfo_t *info, smb_joinres_t *res)
101 {
102 	static unsigned char zero_hash[SMBAUTH_HASH_SZ];
103 	char machine_name[SMB_SAMACCT_MAXLEN];
104 	char machine_pw[NETR_MACHINE_ACCT_PASSWD_MAX];
105 	unsigned char passwd_hash[SMBAUTH_HASH_SZ];
106 	smb_domainex_t dxi;
107 	smb_domain_t *di = &dxi.d_primary;
108 	DWORD status;
109 	int rc;
110 
111 	bzero(&dxi, sizeof (dxi));
112 
113 	/*
114 	 * Domain join support: AD (Kerberos+LDAP) or MS-RPC?
115 	 */
116 	boolean_t ads_enabled = smb_config_get_ads_enable();
117 
118 	if (smb_getsamaccount(machine_name, sizeof (machine_name)) != 0) {
119 		res->status = NT_STATUS_INVALID_COMPUTER_NAME;
120 		return;
121 	}
122 
123 	(void) smb_gen_random_passwd(machine_pw, sizeof (machine_pw));
124 
125 	/*
126 	 * Ensure that any previous membership of this domain has
127 	 * been cleared from the environment before we start. This
128 	 * will ensure that we don't attempt a NETLOGON_SAMLOGON
129 	 * when attempting to find the PDC.
130 	 */
131 	(void) smb_config_setbool(SMB_CI_DOMAIN_MEMB, B_FALSE);
132 
133 	if (info->domain_username[0] != '\0') {
134 		(void) smb_auth_ntlm_hash(info->domain_passwd, passwd_hash);
135 		smb_ipc_set(info->domain_username, passwd_hash);
136 	} else {
137 		smb_ipc_set(MLSVC_ANON_USER, zero_hash);
138 	}
139 
140 	/*
141 	 * Tentatively set the idmap domain to the one we're joining,
142 	 * so that the DC locator in idmap knows what to look for.
143 	 * Ditto the SMB server domain.
144 	 */
145 	if (smb_config_set_idmap_domain(info->domain_name) != 0)
146 		syslog(LOG_NOTICE, "Failed to set idmap domain name");
147 	if (smb_config_refresh_idmap() != 0)
148 		syslog(LOG_NOTICE, "Failed to refresh idmap service");
149 
150 	/* Clear DNS local (ADS) lookup cache. */
151 	smb_ads_refresh(B_FALSE);
152 
153 	/*
154 	 * Locate a DC for this domain.  Intentionally bypass the
155 	 * ddiscover service here because we're still joining.
156 	 * This also allows better reporting of any failures.
157 	 */
158 	status = smb_ads_lookup_msdcs(info->domain_name, &dxi.d_dci);
159 	if (status != NT_STATUS_SUCCESS) {
160 		syslog(LOG_ERR,
161 		    "smbd: failed to locate AD server for domain %s (%s)",
162 		    info->domain_name, xlate_nt_status(status));
163 		goto out;
164 	}
165 
166 	/*
167 	 * Found a DC.  Report what we found along with the return status
168 	 * so that admin will know which AD server we were talking to.
169 	 */
170 	(void) strlcpy(res->dc_name, dxi.d_dci.dc_name, MAXHOSTNAMELEN);
171 	syslog(LOG_INFO, "smbd: found AD server %s", dxi.d_dci.dc_name);
172 
173 	/*
174 	 * Domain discovery needs to authenticate with the AD server.
175 	 * Disconnect any existing connection with the domain controller
176 	 * to make sure we won't use any prior authentication context
177 	 * our redirector might have.
178 	 */
179 	mlsvc_disconnect(dxi.d_dci.dc_name);
180 
181 	/*
182 	 * Get the domain policy info (domain SID etc).
183 	 * Here too, bypass the smb_ddiscover_service.
184 	 */
185 	status = smb_ddiscover_main(info->domain_name, &dxi);
186 	if (status != NT_STATUS_SUCCESS) {
187 		syslog(LOG_ERR,
188 		    "smbd: failed getting domain info for %s (%s)",
189 		    info->domain_name, xlate_nt_status(status));
190 		goto out;
191 	}
192 	/*
193 	 * After a successful smbd_ddiscover_main() call
194 	 * we should call smb_domain_save() to update the
195 	 * data shown by smbadm list.  Do that at the end,
196 	 * only if all goes well with joining the domain.
197 	 */
198 
199 	/*
200 	 * Create or update our machine account on the DC.
201 	 * A non-null user means we do "secure join".
202 	 */
203 	if (info->domain_username[0] != '\0') {
204 		/*
205 		 * If enabled, try to join using AD Services.
206 		 */
207 		status = NT_STATUS_UNSUCCESSFUL;
208 		if (ads_enabled) {
209 			res->join_err = smb_ads_join(di->di_fqname,
210 			    info->domain_username, info->domain_passwd,
211 			    machine_pw);
212 			if (res->join_err == SMB_ADS_SUCCESS) {
213 				status = NT_STATUS_SUCCESS;
214 			}
215 		} else {
216 			syslog(LOG_DEBUG, "use_ads=false (do RPC join)");
217 
218 			/*
219 			 * If ADS was disabled, join using RPC.
220 			 */
221 			status = mlsvc_join_rpc(&dxi,
222 			    info->domain_username,
223 			    info->domain_passwd,
224 			    machine_name, machine_pw);
225 		}
226 
227 	} else {
228 		/*
229 		 * Doing "Unsecure join" (pre-created account)
230 		 */
231 		status = mlsvc_join_noauth(&dxi, machine_name, machine_pw);
232 	}
233 
234 	if (status != NT_STATUS_SUCCESS)
235 		goto out;
236 
237 	/*
238 	 * Make sure we can authenticate using the
239 	 * (new, or updated) machine account.
240 	 */
241 	(void) smb_auth_ntlm_hash(machine_pw, passwd_hash);
242 	smb_ipc_set(machine_name, passwd_hash);
243 	rc = smbrdr_logon(dxi.d_dci.dc_name, di->di_nbname, machine_name);
244 	if (rc != 0) {
245 		syslog(LOG_NOTICE, "Authenticate with "
246 		    "new/updated machine account: %s",
247 		    strerror(rc));
248 		res->join_err = SMB_ADJOIN_ERR_AUTH_NETLOGON;
249 		status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
250 		goto out;
251 	}
252 
253 	/*
254 	 * Store the new machine account password, and
255 	 * SMB_CI_DOMAIN_MEMB etc.
256 	 */
257 	rc = smb_setdomainprops(NULL, dxi.d_dci.dc_name, machine_pw);
258 	if (rc != 0) {
259 		syslog(LOG_NOTICE,
260 		    "Failed to save machine account password");
261 		res->join_err = SMB_ADJOIN_ERR_STORE_PROPS;
262 		status = NT_STATUS_INTERNAL_DB_ERROR;
263 		goto out;
264 	}
265 
266 	/*
267 	 * Update idmap config?
268 	 * Already set the domain_name above.
269 	 */
270 
271 	/*
272 	 * Save the SMB server config.  Sets: SMB_CI_DOMAIN_*
273 	 * Should unify SMB vs idmap configs.
274 	 */
275 	smb_config_setdomaininfo(di->di_nbname, di->di_fqname,
276 	    di->di_sid,
277 	    di->di_u.di_dns.ddi_forest,
278 	    di->di_u.di_dns.ddi_guid);
279 	smb_ipc_commit();
280 	smb_domain_save();
281 
282 	status = 0;
283 
284 out:
285 
286 	if (status != 0) {
287 		/*
288 		 * Undo the tentative domain settings.
289 		 */
290 		(void) smb_config_set_idmap_domain("");
291 		(void) smb_config_refresh_idmap();
292 		smb_ipc_rollback();
293 	}
294 
295 	/* Avoid leaving cleartext passwords around. */
296 	bzero(machine_pw, sizeof (machine_pw));
297 	bzero(passwd_hash, sizeof (passwd_hash));
298 
299 	res->status = status;
300 }
301 
302 static DWORD
303 mlsvc_join_rpc(smb_domainex_t *dxi,
304 	char *admin_user, char *admin_pw,
305 	char *machine_name,  char *machine_pw)
306 {
307 	mlsvc_handle_t samr_handle;
308 	mlsvc_handle_t domain_handle;
309 	mlsvc_handle_t user_handle;
310 	smb_account_t ainfo;
311 	char *server = dxi->d_dci.dc_name;
312 	smb_domain_t *di = &dxi->d_primary;
313 	DWORD account_flags;
314 	DWORD rid;
315 	DWORD status;
316 	int rc;
317 
318 	/* Caller did smb_ipc_set() so we don't need the pw for now. */
319 	_NOTE(ARGUNUSED(admin_pw));
320 
321 	rc = samr_open(server, di->di_nbname, admin_user,
322 	    MAXIMUM_ALLOWED, &samr_handle);
323 	if (rc != 0) {
324 		syslog(LOG_NOTICE, "sam_connect to server %s failed", server);
325 		return (RPC_NT_SERVER_UNAVAILABLE);
326 	}
327 	/* have samr_handle */
328 
329 	status = samr_open_domain(&samr_handle, MAXIMUM_ALLOWED,
330 	    (struct samr_sid *)di->di_binsid, &domain_handle);
331 	if (status != NT_STATUS_SUCCESS)
332 		goto out_samr_handle;
333 	/* have domain_handle */
334 
335 	account_flags = SAMR_AF_WORKSTATION_TRUST_ACCOUNT;
336 	status = samr_create_user(&domain_handle, machine_name,
337 	    account_flags, &rid, &user_handle);
338 	if (status == NT_STATUS_USER_EXISTS) {
339 		status = samr_lookup_domain_names(&domain_handle,
340 		    machine_name, &ainfo);
341 		if (status != NT_STATUS_SUCCESS)
342 			goto out_domain_handle;
343 		status = samr_open_user(&domain_handle, MAXIMUM_ALLOWED,
344 		    ainfo.a_rid, &user_handle);
345 	}
346 	if (status != NT_STATUS_SUCCESS) {
347 		syslog(LOG_NOTICE,
348 		    "smbd: failed to open machine account (%s)",
349 		    xlate_nt_status(status));
350 		goto out_domain_handle;
351 	}
352 
353 	/*
354 	 * The account exists, and we have user_handle open
355 	 * on that account.  Set the password and flags.
356 	 */
357 
358 	status = netr_set_user_password(&user_handle, machine_pw);
359 	if (status != NT_STATUS_SUCCESS) {
360 		syslog(LOG_NOTICE,
361 		    "smbd: failed to set machine account password (%s)",
362 		    xlate_nt_status(status));
363 		goto out_user_handle;
364 	}
365 
366 	account_flags |= SAMR_AF_DONT_EXPIRE_PASSWD;
367 	status = netr_set_user_control(&user_handle, account_flags);
368 	if (status != NT_STATUS_SUCCESS) {
369 		syslog(LOG_NOTICE,
370 		    "Set machine account control flags: %s",
371 		    xlate_nt_status(status));
372 		goto out_user_handle;
373 	}
374 
375 out_user_handle:
376 	(void) samr_close_handle(&user_handle);
377 out_domain_handle:
378 	(void) samr_close_handle(&domain_handle);
379 out_samr_handle:
380 	(void) samr_close_handle(&samr_handle);
381 
382 	return (status);
383 }
384 
385 /*
386  * Doing "Unsecure join" (using a pre-created machine account).
387  * All we need to do is change the password from the default
388  * to a random string.
389  *
390  * Note: this is a work in progres.  Nexenta issue 11960
391  * (allow joining an AD domain using a pre-created computer account)
392  * It turns out that to change the machine account password,
393  * we need to use a different RPC call, performed over the
394  * NetLogon secure channel.  (See netr_server_password_set2)
395  */
396 static DWORD
397 mlsvc_join_noauth(smb_domainex_t *dxi,
398 	char *machine_name, char *machine_pw)
399 {
400 	char old_pw[SMB_SAMACCT_MAXLEN];
401 	DWORD status;
402 
403 	/*
404 	 * Compose the current (default) password for the
405 	 * pre-created machine account, which is just the
406 	 * account name in lower case, truncated to 14
407 	 * characters.
408 	 */
409 	if (smb_gethostname(old_pw, sizeof (old_pw), SMB_CASE_LOWER) != 0)
410 		return (NT_STATUS_INTERNAL_ERROR);
411 	old_pw[14] = '\0';
412 
413 	status = netr_change_password(dxi->d_dci.dc_name, machine_name,
414 	    old_pw, machine_pw);
415 	if (status != NT_STATUS_SUCCESS) {
416 		syslog(LOG_NOTICE,
417 		    "Change machine account password: %s",
418 		    xlate_nt_status(status));
419 	}
420 	return (status);
421 }
422 
423 void
424 mlsvc_disconnect(const char *server)
425 {
426 	smbrdr_disconnect(server);
427 }
428 
429 /*
430  * A few more helper functions for RPC services.
431  */
432 
433 /*
434  * Check whether or not the specified user has administrator privileges,
435  * i.e. is a member of Domain Admins or Administrators.
436  * Returns true if the user is an administrator, otherwise returns false.
437  */
438 boolean_t
439 ndr_is_admin(ndr_xa_t *xa)
440 {
441 	smb_netuserinfo_t *ctx = xa->pipe->np_user;
442 
443 	return (ctx->ui_flags & SMB_ATF_ADMIN);
444 }
445 
446 /*
447  * Check whether or not the specified user has power-user privileges,
448  * i.e. is a member of Domain Admins, Administrators or Power Users.
449  * This is typically required for operations such as managing shares.
450  * Returns true if the user is a power user, otherwise returns false.
451  */
452 boolean_t
453 ndr_is_poweruser(ndr_xa_t *xa)
454 {
455 	smb_netuserinfo_t *ctx = xa->pipe->np_user;
456 
457 	return ((ctx->ui_flags & SMB_ATF_ADMIN) ||
458 	    (ctx->ui_flags & SMB_ATF_POWERUSER));
459 }
460 
461 int32_t
462 ndr_native_os(ndr_xa_t *xa)
463 {
464 	smb_netuserinfo_t *ctx = xa->pipe->np_user;
465 
466 	return (ctx->ui_native_os);
467 }
468