xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c (revision 8c69cc8fbe729fa7b091e901c4b50508ccc6bb33)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
25  */
26 
27 /*
28  * NETR SamLogon and SamLogoff RPC client functions.
29  */
30 
31 #include <stdio.h>
32 #include <strings.h>
33 #include <stdlib.h>
34 #include <time.h>
35 #include <alloca.h>
36 #include <unistd.h>
37 #include <netdb.h>
38 #include <thread.h>
39 
40 #include <smbsrv/libsmb.h>
41 #include <smbsrv/libmlrpc.h>
42 #include <smbsrv/libmlsvc.h>
43 #include <smbsrv/ndl/netlogon.ndl>
44 #include <smbsrv/netrauth.h>
45 #include <smbsrv/smbinfo.h>
46 #include <smbsrv/smb_token.h>
47 #include <mlsvc.h>
48 
49 #define	NETLOGON_ATTEMPTS	2
50 
51 static uint32_t netlogon_logon(smb_logon_t *, smb_token_t *);
52 static uint32_t netr_server_samlogon(mlsvc_handle_t *, netr_info_t *, char *,
53     smb_logon_t *, smb_token_t *);
54 static void netr_invalidate_chain(void);
55 static void netr_interactive_samlogon(netr_info_t *, smb_logon_t *,
56     struct netr_logon_info1 *);
57 static void netr_network_samlogon(ndr_heap_t *, netr_info_t *,
58     smb_logon_t *, struct netr_logon_info2 *);
59 static void netr_setup_identity(ndr_heap_t *, smb_logon_t *,
60     netr_logon_id_t *);
61 static boolean_t netr_isadmin(struct netr_validation_info3 *);
62 static uint32_t netr_setup_domain_groups(struct netr_validation_info3 *,
63     smb_ids_t *);
64 static uint32_t netr_setup_token_info3(struct netr_validation_info3 *,
65     smb_token_t *);
66 static uint32_t netr_setup_token_wingrps(struct netr_validation_info3 *,
67     smb_token_t *);
68 
69 /*
70  * Shared with netr_auth.c
71  */
72 extern netr_info_t netr_global_info;
73 
74 static mutex_t netlogon_mutex;
75 static cond_t netlogon_cv;
76 static boolean_t netlogon_busy = B_FALSE;
77 static boolean_t netlogon_abort = B_FALSE;
78 
79 /*
80  * Helper for Kerberos authentication
81  */
82 uint32_t
83 smb_decode_krb5_pac(smb_token_t *token, char *data, uint_t len)
84 {
85 	struct krb5_validation_info info;
86 	ndr_buf_t *nbuf;
87 	uint32_t status = NT_STATUS_NO_MEMORY;
88 	int rc;
89 
90 	bzero(&info, sizeof (info));
91 
92 	/* Need to keep this until we're done with &info */
93 	nbuf = ndr_buf_init(&TYPEINFO(netr_interface));
94 	if (nbuf == NULL)
95 		goto out;
96 
97 	rc = ndr_buf_decode(nbuf, NDR_PTYPE_PAC,
98 	    NETR_OPNUM_decode_krb5_pac, data, len, &info);
99 	if (rc != NDR_DRC_OK) {
100 		status = RPC_NT_PROTOCOL_ERROR;
101 		goto out;
102 	}
103 
104 	status = netr_setup_token_info3(&info.info3, token);
105 
106 	/* Deal with the "resource groups"? */
107 
108 
109 out:
110 	if (nbuf != NULL)
111 		ndr_buf_fini(nbuf);
112 
113 	return (status);
114 }
115 
116 /*
117  * Code factored out of netr_setup_token()
118  */
119 static uint32_t
120 netr_setup_token_info3(struct netr_validation_info3 *info3,
121     smb_token_t *token)
122 {
123 	smb_sid_t *domsid;
124 
125 	domsid = (smb_sid_t *)info3->LogonDomainId;
126 
127 	token->tkn_user.i_sid = smb_sid_splice(domsid,
128 	    info3->UserId);
129 	if (token->tkn_user.i_sid == NULL)
130 		goto errout;
131 
132 	token->tkn_primary_grp.i_sid = smb_sid_splice(domsid,
133 	    info3->PrimaryGroupId);
134 	if (token->tkn_primary_grp.i_sid == NULL)
135 		goto errout;
136 
137 	if (info3->EffectiveName.str) {
138 		token->tkn_account_name =
139 		    strdup((char *)info3->EffectiveName.str);
140 		if (token->tkn_account_name == NULL)
141 			goto errout;
142 	}
143 
144 	if (info3->LogonDomainName.str) {
145 		token->tkn_domain_name =
146 		    strdup((char *)info3->LogonDomainName.str);
147 		if (token->tkn_domain_name == NULL)
148 			goto errout;
149 	}
150 
151 	return (netr_setup_token_wingrps(info3, token));
152 errout:
153 	return (NT_STATUS_INSUFF_SERVER_RESOURCES);
154 }
155 
156 /*
157  * Abort impending domain logon requests.
158  */
159 void
160 smb_logon_abort(void)
161 {
162 	(void) mutex_lock(&netlogon_mutex);
163 	if (netlogon_busy && !netlogon_abort)
164 		syslog(LOG_DEBUG, "logon abort");
165 	netlogon_abort = B_TRUE;
166 	(void) cond_broadcast(&netlogon_cv);
167 	(void) mutex_unlock(&netlogon_mutex);
168 }
169 
170 /*
171  * This is the entry point for authenticating domain users.
172  *
173  * If we are not going to attempt to authenticate the user,
174  * this function must return without updating the status.
175  *
176  * If the user is successfully authenticated, we build an
177  * access token and the status will be NT_STATUS_SUCCESS.
178  * Otherwise, the token contents are invalid.
179  */
180 void
181 smb_logon_domain(smb_logon_t *user_info, smb_token_t *token)
182 {
183 	uint32_t	status;
184 	int		i;
185 
186 	if (user_info->lg_secmode != SMB_SECMODE_DOMAIN)
187 		return;
188 
189 	if (user_info->lg_domain_type == SMB_DOMAIN_LOCAL)
190 		return;
191 
192 	for (i = 0; i < NETLOGON_ATTEMPTS; ++i) {
193 		(void) mutex_lock(&netlogon_mutex);
194 		while (netlogon_busy && !netlogon_abort)
195 			(void) cond_wait(&netlogon_cv, &netlogon_mutex);
196 
197 		if (netlogon_abort) {
198 			(void) mutex_unlock(&netlogon_mutex);
199 			user_info->lg_status = NT_STATUS_REQUEST_ABORTED;
200 			return;
201 		}
202 
203 		netlogon_busy = B_TRUE;
204 		(void) mutex_unlock(&netlogon_mutex);
205 
206 		status = netlogon_logon(user_info, token);
207 
208 		(void) mutex_lock(&netlogon_mutex);
209 		netlogon_busy = B_FALSE;
210 		if (netlogon_abort)
211 			status = NT_STATUS_REQUEST_ABORTED;
212 		(void) cond_signal(&netlogon_cv);
213 		(void) mutex_unlock(&netlogon_mutex);
214 
215 		if (status != NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
216 			break;
217 	}
218 
219 	if (status != NT_STATUS_SUCCESS)
220 		syslog(LOG_INFO, "logon[%s\\%s]: %s", user_info->lg_e_domain,
221 		    user_info->lg_e_username, xlate_nt_status(status));
222 
223 	user_info->lg_status = status;
224 }
225 
226 static uint32_t
227 netlogon_logon(smb_logon_t *user_info, smb_token_t *token)
228 {
229 	char resource_domain[SMB_PI_MAX_DOMAIN];
230 	char server[MAXHOSTNAMELEN];
231 	mlsvc_handle_t netr_handle;
232 	smb_domainex_t di;
233 	uint32_t status;
234 	int retries = 0;
235 
236 	(void) smb_getdomainname(resource_domain, SMB_PI_MAX_DOMAIN);
237 
238 	/* Avoid interfering with DC discovery. */
239 	if (smb_ddiscover_wait() != 0 ||
240 	    !smb_domain_getinfo(&di)) {
241 		netr_invalidate_chain();
242 		return (NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
243 	}
244 
245 	do {
246 		if (netr_open(di.d_dci.dc_name, di.d_primary.di_nbname,
247 		    &netr_handle) != 0)
248 			return (NT_STATUS_OPEN_FAILED);
249 
250 		if (di.d_dci.dc_name[0] != '\0' &&
251 		    (*netr_global_info.server != '\0')) {
252 			(void) snprintf(server, sizeof (server),
253 			    "\\\\%s", di.d_dci.dc_name);
254 			if (strncasecmp(netr_global_info.server,
255 			    server, strlen(server)) != 0)
256 				netr_invalidate_chain();
257 		}
258 
259 		if ((netr_global_info.flags & NETR_FLG_VALID) == 0 ||
260 		    !smb_match_netlogon_seqnum()) {
261 			status = netlogon_auth(di.d_dci.dc_name, &netr_handle,
262 			    NETR_FLG_NULL);
263 
264 			if (status != 0) {
265 				(void) netr_close(&netr_handle);
266 				return (NT_STATUS_LOGON_FAILURE);
267 			}
268 
269 			netr_global_info.flags |= NETR_FLG_VALID;
270 		}
271 
272 		status = netr_server_samlogon(&netr_handle,
273 		    &netr_global_info, di.d_dci.dc_name, user_info, token);
274 
275 		(void) netr_close(&netr_handle);
276 	} while (status == NT_STATUS_INSUFFICIENT_LOGON_INFO && retries++ < 3);
277 
278 	if (retries >= 3)
279 		status = NT_STATUS_LOGON_FAILURE;
280 
281 	return (status);
282 }
283 
284 static uint32_t
285 netr_setup_token(struct netr_validation_info3 *info3, smb_logon_t *user_info,
286     netr_info_t *netr_info, smb_token_t *token)
287 {
288 	char *username, *domain;
289 	unsigned char rc4key[SMBAUTH_SESSION_KEY_SZ];
290 	smb_sid_t *domsid;
291 	uint32_t status;
292 	char nbdomain[NETBIOS_NAME_SZ];
293 
294 	domsid = (smb_sid_t *)info3->LogonDomainId;
295 
296 	token->tkn_user.i_sid = smb_sid_splice(domsid, info3->UserId);
297 	if (token->tkn_user.i_sid == NULL)
298 		return (NT_STATUS_NO_MEMORY);
299 
300 	token->tkn_primary_grp.i_sid = smb_sid_splice(domsid,
301 	    info3->PrimaryGroupId);
302 	if (token->tkn_primary_grp.i_sid == NULL)
303 		return (NT_STATUS_NO_MEMORY);
304 
305 	username = (info3->EffectiveName.str)
306 	    ? (char *)info3->EffectiveName.str : user_info->lg_e_username;
307 
308 	if (info3->LogonDomainName.str) {
309 		domain = (char *)info3->LogonDomainName.str;
310 	} else if (*user_info->lg_e_domain != '\0') {
311 		domain = user_info->lg_e_domain;
312 	} else {
313 		(void) smb_getdomainname(nbdomain, sizeof (nbdomain));
314 		domain = nbdomain;
315 	}
316 
317 	if (username)
318 		token->tkn_account_name = strdup(username);
319 	if (domain)
320 		token->tkn_domain_name = strdup(domain);
321 
322 	if (token->tkn_account_name == NULL || token->tkn_domain_name == NULL)
323 		return (NT_STATUS_NO_MEMORY);
324 
325 	status = netr_setup_token_wingrps(info3, token);
326 	if (status != NT_STATUS_SUCCESS)
327 		return (status);
328 
329 	/*
330 	 * The UserSessionKey in NetrSamLogon RPC is obfuscated using the
331 	 * session key obtained in the NETLOGON credential chain.
332 	 * An 8 byte session key is zero extended to 16 bytes. This 16 byte
333 	 * key is the key to the RC4 algorithm. The RC4 byte stream is
334 	 * exclusively ored with the 16 byte UserSessionKey to recover
335 	 * the the clear form.
336 	 */
337 	if ((token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ)) == NULL)
338 		return (NT_STATUS_NO_MEMORY);
339 	token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
340 	bzero(rc4key, SMBAUTH_SESSION_KEY_SZ);
341 	bcopy(netr_info->session_key.key, rc4key, netr_info->session_key.len);
342 	bcopy(info3->UserSessionKey.data, token->tkn_ssnkey.val,
343 	    SMBAUTH_SESSION_KEY_SZ);
344 	rand_hash((unsigned char *)token->tkn_ssnkey.val,
345 	    SMBAUTH_SESSION_KEY_SZ, rc4key, SMBAUTH_SESSION_KEY_SZ);
346 
347 	return (NT_STATUS_SUCCESS);
348 }
349 
350 /*
351  * netr_server_samlogon
352  *
353  * NetrServerSamLogon RPC: interactive or network. It is assumed that
354  * we have already authenticated with the PDC. If everything works,
355  * we build a user info structure and return it, where the caller will
356  * probably build an access token.
357  *
358  * Returns an NT status. There are numerous possibilities here.
359  * For example:
360  *	NT_STATUS_INVALID_INFO_CLASS
361  *	NT_STATUS_INVALID_PARAMETER
362  *	NT_STATUS_ACCESS_DENIED
363  *	NT_STATUS_PASSWORD_MUST_CHANGE
364  *	NT_STATUS_NO_SUCH_USER
365  *	NT_STATUS_WRONG_PASSWORD
366  *	NT_STATUS_LOGON_FAILURE
367  *	NT_STATUS_ACCOUNT_RESTRICTION
368  *	NT_STATUS_INVALID_LOGON_HOURS
369  *	NT_STATUS_INVALID_WORKSTATION
370  *	NT_STATUS_INTERNAL_ERROR
371  *	NT_STATUS_PASSWORD_EXPIRED
372  *	NT_STATUS_ACCOUNT_DISABLED
373  */
374 uint32_t
375 netr_server_samlogon(mlsvc_handle_t *netr_handle, netr_info_t *netr_info,
376     char *server, smb_logon_t *user_info, smb_token_t *token)
377 {
378 	struct netr_SamLogon arg;
379 	struct netr_authenticator auth;
380 	struct netr_authenticator ret_auth;
381 	struct netr_logon_info1 info1;
382 	struct netr_logon_info2 info2;
383 	struct netr_validation_info3 *info3;
384 	ndr_heap_t *heap;
385 	int opnum;
386 	int rc, len;
387 	uint32_t status;
388 
389 	bzero(&arg, sizeof (struct netr_SamLogon));
390 	opnum = NETR_OPNUM_SamLogon;
391 
392 	/*
393 	 * Should we get the server and hostname from netr_info?
394 	 */
395 
396 	len = strlen(server) + 4;
397 	arg.servername = ndr_rpc_malloc(netr_handle, len);
398 	arg.hostname = ndr_rpc_malloc(netr_handle, NETBIOS_NAME_SZ);
399 	if (arg.servername == NULL || arg.hostname == NULL) {
400 		ndr_rpc_release(netr_handle);
401 		return (NT_STATUS_INTERNAL_ERROR);
402 	}
403 
404 	(void) snprintf((char *)arg.servername, len, "\\\\%s", server);
405 	if (smb_getnetbiosname((char *)arg.hostname, NETBIOS_NAME_SZ) != 0) {
406 		ndr_rpc_release(netr_handle);
407 		return (NT_STATUS_INTERNAL_ERROR);
408 	}
409 
410 	rc = netr_setup_authenticator(netr_info, &auth, &ret_auth);
411 	if (rc != SMBAUTH_SUCCESS) {
412 		ndr_rpc_release(netr_handle);
413 		return (NT_STATUS_INTERNAL_ERROR);
414 	}
415 
416 	arg.auth = &auth;
417 	arg.ret_auth = &ret_auth;
418 	arg.validation_level = NETR_VALIDATION_LEVEL3;
419 	arg.logon_info.logon_level = user_info->lg_level;
420 	arg.logon_info.switch_value = user_info->lg_level;
421 
422 	heap = ndr_rpc_get_heap(netr_handle);
423 
424 	switch (user_info->lg_level) {
425 	case NETR_INTERACTIVE_LOGON:
426 		netr_setup_identity(heap, user_info, &info1.identity);
427 		netr_interactive_samlogon(netr_info, user_info, &info1);
428 		arg.logon_info.ru.info1 = &info1;
429 		break;
430 
431 	case NETR_NETWORK_LOGON:
432 		if (user_info->lg_challenge_key.len < 8 ||
433 		    user_info->lg_challenge_key.val == NULL) {
434 			ndr_rpc_release(netr_handle);
435 			return (NT_STATUS_INVALID_PARAMETER);
436 		}
437 		netr_setup_identity(heap, user_info, &info2.identity);
438 		netr_network_samlogon(heap, netr_info, user_info, &info2);
439 		arg.logon_info.ru.info2 = &info2;
440 		break;
441 
442 	default:
443 		ndr_rpc_release(netr_handle);
444 		return (NT_STATUS_INVALID_PARAMETER);
445 	}
446 
447 	rc = ndr_rpc_call(netr_handle, opnum, &arg);
448 	if (rc != 0) {
449 		bzero(netr_info, sizeof (netr_info_t));
450 		status = NT_STATUS_INVALID_PARAMETER;
451 	} else if (arg.status != 0) {
452 		status = NT_SC_VALUE(arg.status);
453 
454 		/*
455 		 * We need to validate the chain even though we have
456 		 * a non-zero status. If the status is ACCESS_DENIED
457 		 * this will trigger a new credential chain. However,
458 		 * a valid credential is returned with some status
459 		 * codes; for example, WRONG_PASSWORD.
460 		 */
461 		(void) netr_validate_chain(netr_info, arg.ret_auth);
462 	} else {
463 		status = netr_validate_chain(netr_info, arg.ret_auth);
464 		if (status == NT_STATUS_INSUFFICIENT_LOGON_INFO) {
465 			ndr_rpc_release(netr_handle);
466 			return (status);
467 		}
468 
469 		info3 = arg.ru.info3;
470 		status = netr_setup_token(info3, user_info, netr_info, token);
471 	}
472 
473 	ndr_rpc_release(netr_handle);
474 	return (status);
475 }
476 
477 /*
478  * netr_interactive_samlogon
479  *
480  * Set things up for an interactive SamLogon. Copy the NT and LM
481  * passwords to the logon structure and hash them with the session
482  * key.
483  */
484 static void
485 netr_interactive_samlogon(netr_info_t *netr_info, smb_logon_t *user_info,
486     struct netr_logon_info1 *info1)
487 {
488 	BYTE key[NETR_OWF_PASSWORD_SZ];
489 
490 	(void) memcpy(&info1->lm_owf_password,
491 	    user_info->lg_lm_password.val, sizeof (netr_owf_password_t));
492 
493 	(void) memcpy(&info1->nt_owf_password,
494 	    user_info->lg_nt_password.val, sizeof (netr_owf_password_t));
495 
496 	(void) memset(key, 0, NETR_OWF_PASSWORD_SZ);
497 	(void) memcpy(key, netr_info->session_key.key,
498 	    netr_info->session_key.len);
499 
500 	rand_hash((unsigned char *)&info1->lm_owf_password,
501 	    NETR_OWF_PASSWORD_SZ, key, NETR_OWF_PASSWORD_SZ);
502 
503 	rand_hash((unsigned char *)&info1->nt_owf_password,
504 	    NETR_OWF_PASSWORD_SZ, key, NETR_OWF_PASSWORD_SZ);
505 }
506 
507 /*
508  * netr_network_samlogon
509  *
510  * Set things up for a network SamLogon.  We provide a copy of the random
511  * challenge, that we sent to the client, to the domain controller.  This
512  * is the key that the client will have used to encrypt the NT and LM
513  * passwords.  Note that Windows 9x clients may not provide both passwords.
514  */
515 /*ARGSUSED*/
516 static void
517 netr_network_samlogon(ndr_heap_t *heap, netr_info_t *netr_info,
518     smb_logon_t *user_info, struct netr_logon_info2 *info2)
519 {
520 	uint32_t len;
521 
522 	if (user_info->lg_challenge_key.len >= 8 &&
523 	    user_info->lg_challenge_key.val != 0) {
524 		bcopy(user_info->lg_challenge_key.val,
525 		    info2->lm_challenge.data, 8);
526 	} else {
527 		bzero(info2->lm_challenge.data, 8);
528 	}
529 
530 	if ((len = user_info->lg_nt_password.len) != 0) {
531 		ndr_heap_mkvcb(heap, user_info->lg_nt_password.val, len,
532 		    (ndr_vcbuf_t *)&info2->nt_response);
533 	} else {
534 		bzero(&info2->nt_response, sizeof (netr_vcbuf_t));
535 	}
536 
537 	if ((len = user_info->lg_lm_password.len) != 0) {
538 		ndr_heap_mkvcb(heap, user_info->lg_lm_password.val, len,
539 		    (ndr_vcbuf_t *)&info2->lm_response);
540 	} else {
541 		bzero(&info2->lm_response, sizeof (netr_vcbuf_t));
542 	}
543 }
544 
545 /*
546  * netr_setup_authenticator
547  *
548  * Set up the request and return authenticators. A new credential is
549  * generated from the session key, the current client credential and
550  * the current time, i.e.
551  *
552  *		NewCredential = Cred(SessionKey, OldCredential, time);
553  *
554  * The timestamp, which is used as a random seed, is stored in both
555  * the request and return authenticators.
556  *
557  * If any difficulties occur using the cryptographic framework, the
558  * function returns SMBAUTH_FAILURE.  Otherwise SMBAUTH_SUCCESS is
559  * returned.
560  */
561 int
562 netr_setup_authenticator(netr_info_t *netr_info,
563     struct netr_authenticator *auth, struct netr_authenticator *ret_auth)
564 {
565 	bzero(auth, sizeof (struct netr_authenticator));
566 
567 	netr_info->timestamp = time(0);
568 	auth->timestamp = netr_info->timestamp;
569 
570 	if (netr_gen_credentials(netr_info->session_key.key,
571 	    &netr_info->client_credential,
572 	    netr_info->timestamp,
573 	    (netr_cred_t *)&auth->credential) != SMBAUTH_SUCCESS)
574 		return (SMBAUTH_FAILURE);
575 
576 	if (ret_auth) {
577 		bzero(ret_auth, sizeof (struct netr_authenticator));
578 		ret_auth->timestamp = netr_info->timestamp;
579 	}
580 
581 	return (SMBAUTH_SUCCESS);
582 }
583 
584 /*
585  * Validate the returned credentials and update the credential chain.
586  * The server returns an updated client credential rather than a new
587  * server credential.  The server uses (timestamp + 1) when generating
588  * the credential.
589  *
590  * Generate the new seed for the credential chain. The new seed is
591  * formed by adding (timestamp + 1) to the current client credential.
592  * The only quirk is the uint32_t style addition.
593  *
594  * Returns NT_STATUS_INSUFFICIENT_LOGON_INFO if auth->credential is a
595  * NULL pointer. The Authenticator field of the SamLogon response packet
596  * sent by the Samba 3 PDC always return NULL pointer if the received
597  * SamLogon request is not immediately followed by the ServerReqChallenge
598  * and ServerAuthenticate2 requests.
599  *
600  * Returns NT_STATUS_SUCCESS if the server returned a valid credential.
601  * Otherwise we retirm NT_STATUS_UNSUCCESSFUL.
602  */
603 uint32_t
604 netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth)
605 {
606 	netr_cred_t cred;
607 	uint32_t result = NT_STATUS_SUCCESS;
608 	uint32_t *dwp;
609 
610 	++netr_info->timestamp;
611 
612 	if (netr_gen_credentials(netr_info->session_key.key,
613 	    &netr_info->client_credential,
614 	    netr_info->timestamp, &cred) != SMBAUTH_SUCCESS)
615 		return (NT_STATUS_INTERNAL_ERROR);
616 
617 	if (&auth->credential == 0) {
618 		/*
619 		 * If the validation fails, destroy the credential chain.
620 		 * This should trigger a new authentication chain.
621 		 */
622 		bzero(netr_info, sizeof (netr_info_t));
623 		return (NT_STATUS_INSUFFICIENT_LOGON_INFO);
624 	}
625 
626 	result = memcmp(&cred, &auth->credential, sizeof (netr_cred_t));
627 	if (result != 0) {
628 		/*
629 		 * If the validation fails, destroy the credential chain.
630 		 * This should trigger a new authentication chain.
631 		 */
632 		bzero(netr_info, sizeof (netr_info_t));
633 		result = NT_STATUS_UNSUCCESSFUL;
634 	} else {
635 		/*
636 		 * Otherwise generate the next step in the chain.
637 		 */
638 		/*LINTED E_BAD_PTR_CAST_ALIGN*/
639 		dwp = (uint32_t *)&netr_info->client_credential;
640 		dwp[0] += netr_info->timestamp;
641 
642 		netr_info->flags |= NETR_FLG_VALID;
643 	}
644 
645 	return (result);
646 }
647 
648 /*
649  * netr_invalidate_chain
650  *
651  * Mark the credential chain as invalid so that it will be recreated
652  * on the next attempt.
653  */
654 static void
655 netr_invalidate_chain(void)
656 {
657 	netr_global_info.flags &= ~NETR_FLG_VALID;
658 }
659 
660 /*
661  * netr_setup_identity
662  *
663  * Set up the client identity information. All of this information is
664  * specifically related to the client user and workstation attempting
665  * to access this system. It may not be in our primary domain.
666  *
667  * I don't know what logon_id is, it seems to be a unique identifier.
668  * Increment it before each use.
669  */
670 static void
671 netr_setup_identity(ndr_heap_t *heap, smb_logon_t *user_info,
672     netr_logon_id_t *identity)
673 {
674 	static mutex_t logon_id_mutex;
675 	static uint32_t logon_id;
676 
677 	(void) mutex_lock(&logon_id_mutex);
678 
679 	if (logon_id == 0)
680 		logon_id = 0xDCD0;
681 
682 	++logon_id;
683 	user_info->lg_logon_id = logon_id;
684 
685 	(void) mutex_unlock(&logon_id_mutex);
686 
687 	/*
688 	 * [MS-APDS] 3.1.5.2 "NTLM Network Logon" says to set
689 	 * ParameterControl to the 'E' + 'K' bits.  Those are:
690 	 * (1 << 5) | (1 << 11), a.k.a
691 	 */
692 	identity->parameter_control =
693 	    MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
694 	    MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
695 	identity->logon_id.LowPart = logon_id;
696 	identity->logon_id.HighPart = 0;
697 
698 	ndr_heap_mkvcs(heap, user_info->lg_domain,
699 	    (ndr_vcstr_t *)&identity->domain_name);
700 
701 	ndr_heap_mkvcs(heap, user_info->lg_username,
702 	    (ndr_vcstr_t *)&identity->username);
703 
704 	/*
705 	 * Some systems prefix the client workstation name with \\.
706 	 * It doesn't seem to make any difference whether it's there
707 	 * or not.
708 	 */
709 	ndr_heap_mkvcs(heap, user_info->lg_workstation,
710 	    (ndr_vcstr_t *)&identity->workstation);
711 }
712 
713 /*
714  * Sets up domain, local and well-known group membership for the given
715  * token. Two assumptions have been made here:
716  *
717  *   a) token already contains a valid user SID so that group
718  *      memberships can be established
719  *
720  *   b) token belongs to a domain user
721  */
722 static uint32_t
723 netr_setup_token_wingrps(struct netr_validation_info3 *info3,
724     smb_token_t *token)
725 {
726 	smb_ids_t tkn_grps;
727 	uint32_t status;
728 
729 	tkn_grps.i_cnt = 0;
730 	tkn_grps.i_ids = NULL;
731 
732 	status = netr_setup_domain_groups(info3, &tkn_grps);
733 	if (status != NT_STATUS_SUCCESS) {
734 		smb_ids_free(&tkn_grps);
735 		return (status);
736 	}
737 
738 	status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
739 	if (status != NT_STATUS_SUCCESS) {
740 		smb_ids_free(&tkn_grps);
741 		return (status);
742 	}
743 
744 	if (netr_isadmin(info3))
745 		token->tkn_flags |= SMB_ATF_ADMIN;
746 
747 	status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
748 	if (status == NT_STATUS_SUCCESS)
749 		token->tkn_win_grps = tkn_grps;
750 	else
751 		smb_ids_free(&tkn_grps);
752 
753 	return (status);
754 }
755 
756 /*
757  * Converts groups information in the returned structure by domain controller
758  * (info3) to an internal representation (gids)
759  */
760 static uint32_t
761 netr_setup_domain_groups(struct netr_validation_info3 *info3, smb_ids_t *gids)
762 {
763 	smb_sid_t *domain_sid;
764 	smb_id_t *ids;
765 	int i, total_cnt;
766 
767 	if ((i = info3->GroupCount) == 0)
768 		i++;
769 	i += info3->SidCount;
770 
771 	total_cnt = gids->i_cnt + i;
772 
773 	gids->i_ids = realloc(gids->i_ids, total_cnt * sizeof (smb_id_t));
774 	if (gids->i_ids == NULL)
775 		return (NT_STATUS_NO_MEMORY);
776 
777 	domain_sid = (smb_sid_t *)info3->LogonDomainId;
778 
779 	ids = gids->i_ids + gids->i_cnt;
780 	for (i = 0; i < info3->GroupCount; i++, gids->i_cnt++, ids++) {
781 		ids->i_sid = smb_sid_splice(domain_sid, info3->GroupIds[i].rid);
782 		if (ids->i_sid == NULL)
783 			return (NT_STATUS_NO_MEMORY);
784 
785 		ids->i_attrs = info3->GroupIds[i].attributes;
786 	}
787 
788 	if (info3->GroupCount == 0) {
789 		/*
790 		 * if there's no global group should add the primary group.
791 		 */
792 		ids->i_sid = smb_sid_splice(domain_sid, info3->PrimaryGroupId);
793 		if (ids->i_sid == NULL)
794 			return (NT_STATUS_NO_MEMORY);
795 
796 		ids->i_attrs = 0x7;
797 		gids->i_cnt++;
798 		ids++;
799 	}
800 
801 	/* Add the extra SIDs */
802 	for (i = 0; i < info3->SidCount; i++, gids->i_cnt++, ids++) {
803 		ids->i_sid = smb_sid_dup((smb_sid_t *)info3->ExtraSids[i].sid);
804 		if (ids->i_sid == NULL)
805 			return (NT_STATUS_NO_MEMORY);
806 
807 		ids->i_attrs = info3->ExtraSids[i].attributes;
808 	}
809 
810 	return (NT_STATUS_SUCCESS);
811 }
812 
813 /*
814  * Determines if the given user is the domain Administrator or a
815  * member of Domain Admins
816  */
817 static boolean_t
818 netr_isadmin(struct netr_validation_info3 *info3)
819 {
820 	smb_domain_t di;
821 	int i;
822 
823 	if (!smb_domain_lookup_sid((smb_sid_t *)info3->LogonDomainId, &di))
824 		return (B_FALSE);
825 
826 	if (di.di_type != SMB_DOMAIN_PRIMARY)
827 		return (B_FALSE);
828 
829 	if ((info3->UserId == DOMAIN_USER_RID_ADMIN) ||
830 	    (info3->PrimaryGroupId == DOMAIN_GROUP_RID_ADMINS))
831 		return (B_TRUE);
832 
833 	for (i = 0; i < info3->GroupCount; i++)
834 		if (info3->GroupIds[i].rid == DOMAIN_GROUP_RID_ADMINS)
835 			return (B_TRUE);
836 
837 	return (B_FALSE);
838 }
839