1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Security database interface. 28 */ 29 #include <unistd.h> 30 #include <strings.h> 31 #include <pwd.h> 32 #include <grp.h> 33 #include <time.h> 34 #include <syslog.h> 35 #include <assert.h> 36 #include <synch.h> 37 38 #include <smbsrv/libsmb.h> 39 #include <smbsrv/libmlsvc.h> 40 41 #include <smbsrv/smbinfo.h> 42 #include <smbsrv/smb_token.h> 43 #include <lsalib.h> 44 45 static smb_account_t smb_guest; 46 static smb_account_t smb_domusers; 47 static rwlock_t smb_logoninit_rwl; 48 49 extern uint32_t netlogon_logon(netr_client_t *, smb_token_t *); 50 static uint32_t smb_logon_domain(netr_client_t *, smb_token_t *); 51 static uint32_t smb_logon_local(netr_client_t *, smb_token_t *); 52 static uint32_t smb_logon_guest(netr_client_t *, smb_token_t *); 53 static uint32_t smb_logon_anon(netr_client_t *, smb_token_t *); 54 55 static uint32_t smb_token_auth_local(netr_client_t *, smb_token_t *, 56 smb_passwd_t *); 57 58 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 59 static uint32_t smb_token_setup_guest(netr_client_t *, smb_token_t *); 60 static uint32_t smb_token_setup_anon(smb_token_t *token); 61 62 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 63 static uint32_t smb_token_setup_wingrps(smb_token_t *); 64 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 65 66 static void smb_guest_account(char *, size_t); 67 68 /* Consolidation private function from Network Repository */ 69 extern int _getgroupsbymember(const char *, gid_t[], int, int); 70 71 static idmap_stat 72 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 73 { 74 idmap_stat stat; 75 smb_idmap_t *sim; 76 smb_id_t *id; 77 int i; 78 79 if (!token || !sib) 80 return (IDMAP_ERR_ARG); 81 82 sim = sib->sib_maps; 83 84 if (token->tkn_flags & SMB_ATF_ANON) { 85 token->tkn_user.i_id = UID_NOBODY; 86 token->tkn_owner.i_id = UID_NOBODY; 87 } else { 88 /* User SID */ 89 id = &token->tkn_user; 90 sim->sim_id = &id->i_id; 91 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 92 id->i_sid, SMB_IDMAP_USER); 93 94 if (stat != IDMAP_SUCCESS) 95 return (stat); 96 97 /* Owner SID */ 98 id = &token->tkn_owner; 99 sim->sim_id = &id->i_id; 100 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 101 id->i_sid, SMB_IDMAP_USER); 102 103 if (stat != IDMAP_SUCCESS) 104 return (stat); 105 } 106 107 /* Primary Group SID */ 108 id = &token->tkn_primary_grp; 109 sim->sim_id = &id->i_id; 110 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 111 SMB_IDMAP_GROUP); 112 113 if (stat != IDMAP_SUCCESS) 114 return (stat); 115 116 /* Other Windows Group SIDs */ 117 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 118 id = &token->tkn_win_grps.i_ids[i]; 119 sim->sim_id = &id->i_id; 120 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 121 id->i_sid, SMB_IDMAP_GROUP); 122 123 if (stat != IDMAP_SUCCESS) 124 break; 125 } 126 127 return (stat); 128 } 129 130 /* 131 * smb_token_sids2ids 132 * 133 * This will map all the SIDs of the access token to UIDs/GIDs. 134 * 135 * Returns 0 upon success. Otherwise, returns -1. 136 */ 137 static int 138 smb_token_sids2ids(smb_token_t *token) 139 { 140 idmap_stat stat; 141 int nmaps, retries = 0; 142 smb_idmap_batch_t sib; 143 144 /* 145 * Number of idmap lookups: user SID, owner SID, primary group SID, 146 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 147 */ 148 if (token->tkn_flags & SMB_ATF_ANON) 149 nmaps = token->tkn_win_grps.i_cnt + 1; 150 else 151 nmaps = token->tkn_win_grps.i_cnt + 3; 152 153 do { 154 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID); 155 if (stat != IDMAP_SUCCESS) 156 return (-1); 157 158 stat = smb_token_idmap(token, &sib); 159 if (stat != IDMAP_SUCCESS) { 160 smb_idmap_batch_destroy(&sib); 161 return (-1); 162 } 163 164 stat = smb_idmap_batch_getmappings(&sib); 165 smb_idmap_batch_destroy(&sib); 166 if (stat == IDMAP_ERR_RPC_HANDLE) 167 if (smb_idmap_restart() < 0) 168 break; 169 } while (stat == IDMAP_ERR_RPC_HANDLE && retries++ < 3); 170 171 return (stat == IDMAP_SUCCESS ? 0 : -1); 172 } 173 174 /* 175 * smb_token_create_pxgrps 176 * 177 * Setup the POSIX group membership of the access token if the given UID is 178 * a POSIX UID (non-ephemeral). Both the user's primary group and 179 * supplementary groups will be added to the POSIX group array of the access 180 * token. 181 */ 182 static smb_posix_grps_t * 183 smb_token_create_pxgrps(uid_t uid) 184 { 185 struct passwd *pwd; 186 smb_posix_grps_t *pgrps; 187 int ngroups_max, num; 188 gid_t *gids; 189 190 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 191 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 192 return (NULL); 193 } 194 195 pwd = getpwuid(uid); 196 if (pwd == NULL) { 197 pgrps = malloc(sizeof (smb_posix_grps_t)); 198 if (pgrps == NULL) 199 return (NULL); 200 201 pgrps->pg_ngrps = 0; 202 return (pgrps); 203 } 204 205 if (pwd->pw_name == NULL) { 206 pgrps = malloc(sizeof (smb_posix_grps_t)); 207 if (pgrps == NULL) 208 return (NULL); 209 210 pgrps->pg_ngrps = 1; 211 pgrps->pg_grps[0] = pwd->pw_gid; 212 return (pgrps); 213 } 214 215 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 216 if (gids == NULL) { 217 return (NULL); 218 } 219 bzero(gids, ngroups_max * sizeof (gid_t)); 220 221 gids[0] = pwd->pw_gid; 222 223 /* 224 * Setup the groups starting at index 1 (the last arg) 225 * of gids array. 226 */ 227 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 228 229 if (num == -1) { 230 syslog(LOG_ERR, "smb_logon: unable " 231 "to get user's supplementary groups"); 232 num = 1; 233 } 234 235 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 236 if (pgrps) { 237 pgrps->pg_ngrps = num; 238 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 239 } 240 241 free(gids); 242 return (pgrps); 243 } 244 245 /* 246 * smb_token_destroy 247 * 248 * Release all of the memory associated with a token structure. Ensure 249 * that the token has been unlinked before calling. 250 */ 251 void 252 smb_token_destroy(smb_token_t *token) 253 { 254 if (token != NULL) { 255 smb_sid_free(token->tkn_user.i_sid); 256 smb_sid_free(token->tkn_owner.i_sid); 257 smb_sid_free(token->tkn_primary_grp.i_sid); 258 smb_ids_free(&token->tkn_win_grps); 259 smb_privset_free(token->tkn_privileges); 260 free(token->tkn_posix_grps); 261 free(token->tkn_account_name); 262 free(token->tkn_domain_name); 263 free(token->tkn_session_key); 264 free(token); 265 } 266 } 267 268 /* 269 * Token owner should be set to local Administrators group 270 * in two cases: 271 * 1. The logged on user is a member of Domain Admins group 272 * 2. he/she is a member of local Administrators group 273 */ 274 static void 275 smb_token_set_owner(smb_token_t *token) 276 { 277 #ifdef SMB_SUPPORT_GROUP_OWNER 278 smb_sid_t *owner_sid; 279 280 if (token->tkn_flags & SMB_ATF_ADMIN) { 281 owner_sid = smb_wka_get_sid("Administrators"); 282 assert(owner_sid); 283 } else { 284 owner_sid = token->tkn_user->i_sid; 285 } 286 287 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 288 #endif 289 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 290 } 291 292 static smb_privset_t * 293 smb_token_create_privs(smb_token_t *token) 294 { 295 smb_privset_t *privs; 296 smb_giter_t gi; 297 smb_group_t grp; 298 int rc; 299 300 privs = smb_privset_new(); 301 if (privs == NULL) 302 return (NULL); 303 304 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 305 smb_privset_free(privs); 306 return (NULL); 307 } 308 309 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 310 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 311 smb_privset_merge(privs, grp.sg_privs); 312 smb_lgrp_free(&grp); 313 } 314 smb_lgrp_iterclose(&gi); 315 316 if (token->tkn_flags & SMB_ATF_ADMIN) { 317 rc = smb_lgrp_getbyname("Administrators", &grp); 318 if (rc == SMB_LGRP_SUCCESS) { 319 smb_privset_merge(privs, grp.sg_privs); 320 smb_lgrp_free(&grp); 321 } 322 323 /* 324 * This privilege is required to view/edit SACL 325 */ 326 smb_privset_enable(privs, SE_SECURITY_LUID); 327 } 328 329 return (privs); 330 } 331 332 static void 333 smb_token_set_flags(smb_token_t *token) 334 { 335 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 336 token->tkn_flags |= SMB_ATF_ADMIN; 337 338 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 339 token->tkn_flags |= SMB_ATF_POWERUSER; 340 341 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 342 token->tkn_flags |= SMB_ATF_BACKUPOP; 343 } 344 345 /* 346 * Common token setup for both local and domain users. 347 * This function must be called after the initial setup 348 * has been done. 349 * 350 * Note that the order of calls in this function are important. 351 */ 352 static uint32_t 353 smb_token_setup_common(smb_token_t *token) 354 { 355 smb_token_set_flags(token); 356 357 smb_token_set_owner(token); 358 if (token->tkn_owner.i_sid == NULL) 359 return (NT_STATUS_NO_MEMORY); 360 361 /* Privileges */ 362 token->tkn_privileges = smb_token_create_privs(token); 363 if (token->tkn_privileges == NULL) 364 return (NT_STATUS_NO_MEMORY); 365 366 if (smb_token_sids2ids(token) != 0) { 367 syslog(LOG_ERR, "%s\\%s: idmap failed", 368 token->tkn_domain_name, token->tkn_account_name); 369 return (NT_STATUS_INTERNAL_ERROR); 370 } 371 372 /* Solaris Groups */ 373 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 374 375 return (NT_STATUS_SUCCESS); 376 } 377 378 uint32_t 379 smb_logon_init(void) 380 { 381 uint32_t status; 382 383 (void) rw_wrlock(&smb_logoninit_rwl); 384 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest); 385 if (status != NT_STATUS_SUCCESS) { 386 (void) rw_unlock(&smb_logoninit_rwl); 387 return (status); 388 } 389 390 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup, 391 &smb_domusers); 392 if (status != NT_STATUS_SUCCESS) { 393 smb_account_free(&smb_guest); 394 bzero(&smb_guest, sizeof (smb_account_t)); 395 (void) rw_unlock(&smb_logoninit_rwl); 396 return (status); 397 } 398 399 (void) rw_unlock(&smb_logoninit_rwl); 400 return (status); 401 } 402 403 void 404 smb_logon_fini(void) 405 { 406 (void) rw_wrlock(&smb_logoninit_rwl); 407 smb_account_free(&smb_guest); 408 smb_account_free(&smb_domusers); 409 bzero(&smb_guest, sizeof (smb_account_t)); 410 bzero(&smb_domusers, sizeof (smb_account_t)); 411 (void) rw_unlock(&smb_logoninit_rwl); 412 } 413 414 /* 415 * smb_logon 416 * 417 * Performs user authentication and creates a token if the 418 * authentication is successful. 419 * 420 * Returns pointer to the created token. 421 */ 422 smb_token_t * 423 smb_logon(netr_client_t *clnt) 424 { 425 smb_token_t *token = NULL; 426 uint32_t status; 427 428 if ((token = malloc(sizeof (smb_token_t))) == NULL) { 429 syslog(LOG_ERR, "smb_logon: resource shortage"); 430 return (NULL); 431 } 432 bzero(token, sizeof (smb_token_t)); 433 434 status = smb_logon_anon(clnt, token); 435 if (status == NT_STATUS_INVALID_LOGON_TYPE) { 436 status = smb_logon_local(clnt, token); 437 if (status != NT_STATUS_SUCCESS) { 438 if ((status == NT_STATUS_INVALID_LOGON_TYPE) || 439 (*clnt->e_domain == '\0')) 440 status = smb_logon_domain(clnt, token); 441 } 442 443 if (status == NT_STATUS_NO_SUCH_USER) 444 status = smb_logon_guest(clnt, token); 445 } 446 447 if (status == NT_STATUS_SUCCESS) { 448 if (smb_token_setup_common(token) == NT_STATUS_SUCCESS) 449 return (token); 450 } 451 452 smb_token_destroy(token); 453 return (NULL); 454 } 455 456 /* 457 * smb_logon_domain 458 * 459 * Performs pass through authentication with PDC. 460 */ 461 static uint32_t 462 smb_logon_domain(netr_client_t *clnt, smb_token_t *token) 463 { 464 uint32_t status; 465 466 if ((status = netlogon_logon(clnt, token)) != 0) { 467 if (status == NT_STATUS_CANT_ACCESS_DOMAIN_INFO) { 468 if ((status = netlogon_logon(clnt, token)) != 0) { 469 syslog(LOG_INFO, "SmbLogon[%s\\%s]: %s", 470 clnt->e_domain, clnt->e_username, 471 xlate_nt_status(status)); 472 return (status); 473 } 474 } 475 } 476 477 return (status); 478 } 479 480 /* 481 * smb_logon_local 482 * 483 * Check to see if connected user has an entry in the local 484 * smbpasswd database. If it has, tries both LM hash and NT 485 * hash with user's password(s) to authenticate the user. 486 */ 487 static uint32_t 488 smb_logon_local(netr_client_t *clnt, smb_token_t *token) 489 { 490 char guest[SMB_USERNAME_MAXLEN]; 491 smb_passwd_t smbpw; 492 uint32_t status; 493 nt_domain_t domain; 494 boolean_t isguest; 495 496 /* Make sure this is not a domain user */ 497 if (smb_config_get_secmode() == SMB_SECMODE_DOMAIN) { 498 if (nt_domain_lookup_name(clnt->e_domain, &domain)) { 499 if (domain.di_type != NT_DOMAIN_LOCAL) 500 return (NT_STATUS_INVALID_LOGON_TYPE); 501 } 502 } 503 504 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 505 isguest = (utf8_strcasecmp(guest, clnt->e_username) == 0); 506 507 status = smb_token_auth_local(clnt, token, &smbpw); 508 if (status == NT_STATUS_SUCCESS) { 509 if (isguest) 510 status = smb_token_setup_guest(clnt, token); 511 else 512 status = smb_token_setup_local(&smbpw, token); 513 } 514 515 return (status); 516 } 517 518 /* 519 * If there's a local guest account with password or if 520 * guest is mapped to a local account with password then 521 * it should be authenticated 522 */ 523 static uint32_t 524 smb_logon_guest(netr_client_t *clnt, smb_token_t *token) 525 { 526 char guest[SMB_USERNAME_MAXLEN]; 527 smb_passwd_t smbpw; 528 char *temp; 529 uint32_t status; 530 531 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 532 temp = clnt->e_username; 533 clnt->e_username = guest; 534 535 status = smb_token_auth_local(clnt, token, &smbpw); 536 if ((status == NT_STATUS_SUCCESS) || 537 (status == NT_STATUS_NO_SUCH_USER)) { 538 status = smb_token_setup_guest(clnt, token); 539 } 540 541 clnt->e_username = temp; 542 return (status); 543 } 544 545 /* 546 * If 'clnt' represents an anonymous user (no password) 547 * then setup the token accordingly, otherwise return 548 * NT_STATUS_INVALID_LOGON_TYPE 549 */ 550 static uint32_t 551 smb_logon_anon(netr_client_t *clnt, smb_token_t *token) 552 { 553 if ((clnt->nt_password.nt_password_len == 0) && 554 (clnt->lm_password.lm_password_len == 0 || 555 (clnt->lm_password.lm_password_len == 1 && 556 *clnt->lm_password.lm_password_val == '\0'))) { 557 return (smb_token_setup_anon(token)); 558 } 559 560 return (NT_STATUS_INVALID_LOGON_TYPE); 561 } 562 563 static uint32_t 564 smb_token_auth_local(netr_client_t *clnt, smb_token_t *token, 565 smb_passwd_t *smbpw) 566 { 567 boolean_t lm_ok, nt_ok; 568 uint32_t status = NT_STATUS_SUCCESS; 569 570 if (smb_pwd_getpwnam(clnt->e_username, smbpw) == NULL) 571 return (NT_STATUS_NO_SUCH_USER); 572 573 if (smbpw->pw_flags & SMB_PWF_DISABLE) 574 return (NT_STATUS_ACCOUNT_DISABLED); 575 576 nt_ok = lm_ok = B_FALSE; 577 if ((smbpw->pw_flags & SMB_PWF_LM) && 578 (clnt->lm_password.lm_password_len != 0)) { 579 lm_ok = smb_auth_validate_lm( 580 clnt->challenge_key.challenge_key_val, 581 clnt->challenge_key.challenge_key_len, 582 smbpw, 583 clnt->lm_password.lm_password_val, 584 clnt->lm_password.lm_password_len, 585 clnt->domain, 586 clnt->username); 587 token->tkn_session_key = NULL; 588 } 589 590 if (!lm_ok && (clnt->nt_password.nt_password_len != 0)) { 591 token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ); 592 if (token->tkn_session_key == NULL) 593 return (NT_STATUS_NO_MEMORY); 594 nt_ok = smb_auth_validate_nt( 595 clnt->challenge_key.challenge_key_val, 596 clnt->challenge_key.challenge_key_len, 597 smbpw, 598 clnt->nt_password.nt_password_val, 599 clnt->nt_password.nt_password_len, 600 clnt->domain, 601 clnt->username, 602 (uchar_t *)token->tkn_session_key); 603 } 604 605 if (!nt_ok && !lm_ok) { 606 status = NT_STATUS_WRONG_PASSWORD; 607 syslog(LOG_NOTICE, "SmbLogon[%s\\%s]: %s", 608 clnt->e_domain, clnt->e_username, 609 xlate_nt_status(status)); 610 } 611 612 return (status); 613 } 614 615 /* 616 * Setup an access token for the specified local user. 617 */ 618 static uint32_t 619 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 620 { 621 idmap_stat stat; 622 smb_idmap_batch_t sib; 623 smb_idmap_t *umap, *gmap; 624 struct passwd pw; 625 char pwbuf[1024]; 626 char nbname[NETBIOS_NAME_SZ]; 627 628 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 629 token->tkn_account_name = strdup(smbpw->pw_name); 630 token->tkn_domain_name = strdup(nbname); 631 632 if (token->tkn_account_name == NULL || 633 token->tkn_domain_name == NULL) 634 return (NT_STATUS_NO_MEMORY); 635 636 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 637 return (NT_STATUS_NO_SUCH_USER); 638 639 /* Get the SID for user's uid & gid */ 640 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 641 if (stat != IDMAP_SUCCESS) 642 return (NT_STATUS_INTERNAL_ERROR); 643 644 umap = &sib.sib_maps[0]; 645 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 646 SMB_IDMAP_USER); 647 648 if (stat != IDMAP_SUCCESS) { 649 smb_idmap_batch_destroy(&sib); 650 return (NT_STATUS_INTERNAL_ERROR); 651 } 652 653 gmap = &sib.sib_maps[1]; 654 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 655 SMB_IDMAP_GROUP); 656 657 if (stat != IDMAP_SUCCESS) { 658 smb_idmap_batch_destroy(&sib); 659 return (NT_STATUS_INTERNAL_ERROR); 660 } 661 662 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS) 663 return (NT_STATUS_INTERNAL_ERROR); 664 665 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 666 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 667 668 smb_idmap_batch_destroy(&sib); 669 670 if (token->tkn_user.i_sid == NULL || 671 token->tkn_primary_grp.i_sid == NULL) 672 return (NT_STATUS_NO_MEMORY); 673 674 return (smb_token_setup_wingrps(token)); 675 } 676 677 /* 678 * Setup access token for guest connections 679 */ 680 static uint32_t 681 smb_token_setup_guest(netr_client_t *clnt, smb_token_t *token) 682 { 683 token->tkn_account_name = strdup(clnt->e_username); 684 685 (void) rw_rdlock(&smb_logoninit_rwl); 686 token->tkn_domain_name = strdup(smb_guest.a_domain); 687 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid); 688 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid); 689 (void) rw_unlock(&smb_logoninit_rwl); 690 token->tkn_flags = SMB_ATF_GUEST; 691 692 if (token->tkn_account_name == NULL || 693 token->tkn_domain_name == NULL || 694 token->tkn_user.i_sid == NULL || 695 token->tkn_primary_grp.i_sid == NULL) 696 return (NT_STATUS_NO_MEMORY); 697 698 return (smb_token_setup_wingrps(token)); 699 } 700 701 /* 702 * Setup access token for anonymous connections 703 */ 704 static uint32_t 705 smb_token_setup_anon(smb_token_t *token) 706 { 707 smb_sid_t *user_sid; 708 709 token->tkn_account_name = strdup("Anonymous"); 710 token->tkn_domain_name = strdup("NT Authority"); 711 user_sid = smb_wka_get_sid("Anonymous"); 712 token->tkn_user.i_sid = smb_sid_dup(user_sid); 713 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 714 token->tkn_flags = SMB_ATF_ANON; 715 716 if (token->tkn_account_name == NULL || 717 token->tkn_domain_name == NULL || 718 token->tkn_user.i_sid == NULL || 719 token->tkn_primary_grp.i_sid == NULL) 720 return (NT_STATUS_NO_MEMORY); 721 722 return (smb_token_setup_wingrps(token)); 723 } 724 725 /* 726 * smb_token_user_sid 727 * 728 * Return a pointer to the user SID in the specified token. A null 729 * pointer indicates an error. 730 */ 731 static smb_sid_t * 732 smb_token_user_sid(smb_token_t *token) 733 { 734 return ((token) ? token->tkn_user.i_sid : NULL); 735 } 736 737 /* 738 * smb_token_group_sid 739 * 740 * Return a pointer to the group SID as indicated by the iterator. 741 * Setting the iterator to 0 before calling this function will return 742 * the first group, which will always be the primary group. The 743 * iterator will be incremented before returning the SID so that this 744 * function can be used to cycle through the groups. The caller can 745 * adjust the iterator as required between calls to obtain any specific 746 * group. 747 * 748 * On success a pointer to the appropriate group SID will be returned. 749 * Otherwise a null pointer will be returned. 750 */ 751 static smb_sid_t * 752 smb_token_group_sid(smb_token_t *token, int *iterator) 753 { 754 int index; 755 756 if (token == NULL || iterator == NULL) 757 return (NULL); 758 759 if (token->tkn_win_grps.i_ids == NULL) 760 return (NULL); 761 762 index = *iterator; 763 764 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 765 return (NULL); 766 767 ++(*iterator); 768 return (token->tkn_win_grps.i_ids[index].i_sid); 769 } 770 771 /* 772 * smb_token_is_member 773 * 774 * This function will determine whether or not the specified SID is a 775 * member of a token. The user SID and all group SIDs are tested. 776 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 777 */ 778 static boolean_t 779 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 780 { 781 smb_sid_t *tsid; 782 int iterator = 0; 783 784 if (token == NULL || sid == NULL) 785 return (B_FALSE); 786 787 tsid = smb_token_user_sid(token); 788 while (tsid) { 789 if (smb_sid_cmp(tsid, sid)) 790 return (B_TRUE); 791 792 tsid = smb_token_group_sid(token, &iterator); 793 } 794 795 return (B_FALSE); 796 } 797 798 /* 799 * smb_token_log 800 * 801 * Diagnostic routine to write the contents of a token to the log. 802 */ 803 void 804 smb_token_log(smb_token_t *token) 805 { 806 smb_ids_t *w_grps; 807 smb_id_t *grp; 808 smb_posix_grps_t *x_grps; 809 char sidstr[SMB_SID_STRSZ]; 810 int i; 811 812 if (token == NULL) 813 return; 814 815 syslog(LOG_DEBUG, "Token for %s\\%s", 816 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 817 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 818 819 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 820 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 821 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 822 token->tkn_user.i_id); 823 824 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 825 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 826 sidstr, token->tkn_owner.i_id); 827 828 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 829 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 830 sidstr, token->tkn_primary_grp.i_id); 831 832 w_grps = &token->tkn_win_grps; 833 if (w_grps->i_ids) { 834 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 835 grp = w_grps->i_ids; 836 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 837 syslog(LOG_DEBUG, 838 " Grp[%d].Attr:%d", i, grp->i_attrs); 839 if (grp->i_sid != NULL) { 840 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 841 syslog(LOG_DEBUG, 842 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 843 grp->i_id); 844 } 845 } 846 } else { 847 syslog(LOG_DEBUG, " No Windows groups"); 848 } 849 850 x_grps = token->tkn_posix_grps; 851 if (x_grps) { 852 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 853 for (i = 0; i < x_grps->pg_ngrps; i++) 854 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 855 } else { 856 syslog(LOG_DEBUG, " No Solaris groups"); 857 } 858 859 if (token->tkn_privileges) 860 smb_privset_log(token->tkn_privileges); 861 else 862 syslog(LOG_DEBUG, " No privileges"); 863 } 864 865 /* 866 * Sets up local and well-known group membership for the given 867 * token. Two assumptions have been made here: 868 * 869 * a) token already contains a valid user SID so that group 870 * memberships can be established 871 * 872 * b) token belongs to a local or anonymous user 873 */ 874 static uint32_t 875 smb_token_setup_wingrps(smb_token_t *token) 876 { 877 smb_ids_t tkn_grps; 878 uint32_t status; 879 880 881 /* 882 * We always want the user's primary group in the list 883 * of groups. 884 */ 885 tkn_grps.i_cnt = 1; 886 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 887 return (NT_STATUS_NO_MEMORY); 888 889 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 890 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 891 if (tkn_grps.i_ids->i_sid == NULL) { 892 smb_ids_free(&tkn_grps); 893 return (NT_STATUS_NO_MEMORY); 894 } 895 896 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 897 if (status != NT_STATUS_SUCCESS) { 898 smb_ids_free(&tkn_grps); 899 return (status); 900 } 901 902 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps); 903 if (status != NT_STATUS_SUCCESS) { 904 smb_ids_free(&tkn_grps); 905 return (status); 906 } 907 908 token->tkn_win_grps = tkn_grps; 909 return (status); 910 } 911 912 /* 913 * Returns the guest account name in the provided buffer. 914 * 915 * By default the name would be "guest" unless there's 916 * a idmap name-based rule which maps the guest to a local 917 * Solaris user in which case the name of that user is 918 * returned. 919 */ 920 static void 921 smb_guest_account(char *guest, size_t buflen) 922 { 923 idmap_stat stat; 924 uid_t guest_uid; 925 struct passwd pw; 926 char pwbuf[1024]; 927 int idtype; 928 929 /* default Guest account name */ 930 (void) rw_rdlock(&smb_logoninit_rwl); 931 (void) strlcpy(guest, smb_guest.a_name, buflen); 932 933 idtype = SMB_IDMAP_USER; 934 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype); 935 (void) rw_unlock(&smb_logoninit_rwl); 936 937 if (stat != IDMAP_SUCCESS) 938 return; 939 940 if ((guest_uid > INT32_MAX) && (guest_uid != UINT32_MAX)) 941 /* Ephemeral ID, return the default name */ 942 return; 943 944 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 945 return; 946 947 (void) strlcpy(guest, pw.pw_name, buflen); 948 } 949