xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c (revision 533affcbc7fc4d0c8132976ea454aaa715fe2307)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright (c) 2016 by Delphix. All rights reserved.
24  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
25  * Copyright 2023 RackTop Systems, Inc.
26  */
27 
28 #include <unistd.h>
29 #include <strings.h>
30 #include <pwd.h>
31 #include <grp.h>
32 #include <time.h>
33 #include <syslog.h>
34 #include <assert.h>
35 #include <synch.h>
36 
37 #include <smbsrv/libsmb.h>
38 #include <smbsrv/libmlsvc.h>
39 
40 #include <smbsrv/smbinfo.h>
41 #include <smbsrv/smb_token.h>
42 #include <lsalib.h>
43 
44 static smb_account_t smb_guest;
45 static smb_account_t smb_domusers;
46 static rwlock_t smb_logoninit_rwl;
47 
48 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
49 
50 static void smb_logon_local(smb_logon_t *, smb_token_t *);
51 static void smb_logon_guest(smb_logon_t *, smb_token_t *);
52 static void smb_logon_anon(smb_logon_t *, smb_token_t *);
53 
54 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
55     smb_passwd_t *);
56 
57 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
58 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
59 static uint32_t smb_token_setup_anon(smb_token_t *token);
60 
61 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
62 static uint32_t smb_token_setup_wingrps(smb_token_t *);
63 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
64 
65 static void smb_guest_account(char *, size_t);
66 
67 /* Consolidation private function from Network Repository */
68 extern int _getgroupsbymember(const char *, gid_t[], int, int);
69 
70 static idmap_stat
71 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
72 {
73 	idmap_stat stat;
74 	smb_idmap_t *sim;
75 	smb_id_t *id;
76 	int i;
77 
78 	if (!token || !sib)
79 		return (IDMAP_ERR_ARG);
80 
81 	sim = sib->sib_maps;
82 
83 	if (token->tkn_flags & SMB_ATF_ANON) {
84 		token->tkn_user.i_id = UID_NOBODY;
85 		token->tkn_owner.i_id = UID_NOBODY;
86 	} else {
87 		/* User SID */
88 		id = &token->tkn_user;
89 		sim->sim_id = &id->i_id;
90 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
91 		    id->i_sid, SMB_IDMAP_USER);
92 
93 		if (stat != IDMAP_SUCCESS)
94 			return (stat);
95 
96 		/* Owner SID */
97 		id = &token->tkn_owner;
98 		sim->sim_id = &id->i_id;
99 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
100 		    id->i_sid, SMB_IDMAP_USER);
101 
102 		if (stat != IDMAP_SUCCESS)
103 			return (stat);
104 	}
105 
106 	/* Primary Group SID */
107 	id = &token->tkn_primary_grp;
108 	sim->sim_id = &id->i_id;
109 	stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
110 	    SMB_IDMAP_GROUP);
111 
112 	if (stat != IDMAP_SUCCESS)
113 		return (stat);
114 
115 	/* Other Windows Group SIDs */
116 	for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
117 		id = &token->tkn_win_grps.i_ids[i];
118 		sim->sim_id = &id->i_id;
119 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
120 		    id->i_sid, SMB_IDMAP_GROUP);
121 
122 		if (stat != IDMAP_SUCCESS)
123 			break;
124 	}
125 
126 	return (stat);
127 }
128 
129 /*
130  * Custom error callback for smb_token_sids2ids
131  */
132 static void
133 smb_token_bgm_error(smb_idmap_batch_t *sib, smb_idmap_t *sim)
134 {
135 	syslog(LOG_INFO, "smb_token_sids2ids: Can't get ID for "
136 	    "SID %s-%u, status=%d",
137 	    sim->sim_domsid, sim->sim_rid, sim->sim_stat);
138 }
139 
140 /*
141  * smb_token_sids2ids
142  *
143  * This will map all the SIDs of the access token to UIDs/GIDs.
144  * However, if there are some SIDs we can't map to UIDs/GIDs,
145  * we don't want to fail the logon, and instead just log the
146  * SIDs we could not map and continue as best we can.
147  * The flag SMB_IDMAP_SKIP_ERRS below does that.
148  *
149  * Returns 0 upon success.  Otherwise, returns -1.
150  */
151 static int
152 smb_token_sids2ids(smb_token_t *token)
153 {
154 	idmap_stat stat;
155 	int nmaps;
156 	smb_idmap_batch_t sib;
157 
158 	/*
159 	 * Number of idmap lookups: user SID, owner SID, primary group SID,
160 	 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
161 	 */
162 	if (token->tkn_flags & SMB_ATF_ANON)
163 		nmaps = token->tkn_win_grps.i_cnt + 1;
164 	else
165 		nmaps = token->tkn_win_grps.i_cnt + 3;
166 
167 	stat = smb_idmap_batch_create(&sib, nmaps,
168 	    SMB_IDMAP_SID2ID | SMB_IDMAP_SKIP_ERRS);
169 	if (stat != IDMAP_SUCCESS)
170 		return (-1);
171 
172 	stat = smb_token_idmap(token, &sib);
173 	if (stat != IDMAP_SUCCESS) {
174 		smb_idmap_batch_destroy(&sib);
175 		return (-1);
176 	}
177 
178 	/* Custom error CB here. */
179 	stat = smb_idmap_batch_getmappings(&sib, smb_token_bgm_error);
180 	if (sib.sib_nerr != 0) {
181 		syslog(LOG_DEBUG, "Token for user \"%s\\%s\" has "
182 		    "%d SIDs that could not be mapped to IDs",
183 		    (token->tkn_domain_name) ?
184 		    token->tkn_domain_name : "?",
185 		    (token->tkn_account_name) ?
186 		    token->tkn_account_name : "?",
187 		    sib.sib_nerr);
188 	}
189 
190 	smb_idmap_batch_destroy(&sib);
191 
192 	return (stat == IDMAP_SUCCESS ? 0 : -1);
193 }
194 
195 /*
196  * smb_token_create_pxgrps
197  *
198  * Setup the POSIX group membership of the access token if the given UID is
199  * a POSIX UID (non-ephemeral). Both the user's primary group and
200  * supplementary groups will be added to the POSIX group array of the access
201  * token.
202  */
203 static smb_posix_grps_t *
204 smb_token_create_pxgrps(uid_t uid)
205 {
206 	struct passwd *pwd;
207 	smb_posix_grps_t *pgrps;
208 	int ngroups_max, num;
209 	gid_t *gids;
210 
211 	if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
212 		syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
213 		return (NULL);
214 	}
215 
216 	pwd = getpwuid(uid);
217 	if (pwd == NULL) {
218 		pgrps = malloc(sizeof (smb_posix_grps_t));
219 		if (pgrps == NULL)
220 			return (NULL);
221 
222 		pgrps->pg_ngrps = 0;
223 		return (pgrps);
224 	}
225 
226 	if (pwd->pw_name == NULL) {
227 		pgrps = malloc(sizeof (smb_posix_grps_t));
228 		if (pgrps == NULL)
229 			return (NULL);
230 
231 		pgrps->pg_ngrps = 1;
232 		pgrps->pg_grps[0] = pwd->pw_gid;
233 		return (pgrps);
234 	}
235 
236 	gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
237 	if (gids == NULL) {
238 		return (NULL);
239 	}
240 	bzero(gids, ngroups_max * sizeof (gid_t));
241 
242 	gids[0] = pwd->pw_gid;
243 
244 	/*
245 	 * Setup the groups starting at index 1 (the last arg)
246 	 * of gids array.
247 	 */
248 	num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
249 
250 	if (num == -1) {
251 		syslog(LOG_ERR, "smb_logon: unable "
252 		    "to get user's supplementary groups");
253 		num = 1;
254 	}
255 
256 	pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
257 	if (pgrps) {
258 		pgrps->pg_ngrps = num;
259 		bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
260 	}
261 
262 	free(gids);
263 	return (pgrps);
264 }
265 
266 /*
267  * smb_token_destroy
268  *
269  * Release all of the memory associated with a token structure. Ensure
270  * that the token has been unlinked before calling.
271  */
272 void
273 smb_token_destroy(smb_token_t *token)
274 {
275 	if (token != NULL) {
276 		smb_sid_free(token->tkn_user.i_sid);
277 		smb_sid_free(token->tkn_owner.i_sid);
278 		smb_sid_free(token->tkn_primary_grp.i_sid);
279 		smb_ids_free(&token->tkn_win_grps);
280 		smb_privset_free(token->tkn_privileges);
281 		free(token->tkn_posix_grps);
282 		free(token->tkn_account_name);
283 		free(token->tkn_domain_name);
284 		free(token->tkn_ssnkey.val);
285 		bzero(token, sizeof (smb_token_t));
286 		free(token);
287 	}
288 }
289 
290 /*
291  * Token owner should be set to local Administrators group
292  * in two cases:
293  *   1. The logged on user is a member of Domain Admins group
294  *   2. They are a member of local Administrators group
295  */
296 static void
297 smb_token_set_owner(smb_token_t *token)
298 {
299 #ifdef SMB_SUPPORT_GROUP_OWNER
300 	smb_sid_t *owner_sid;
301 
302 	if (token->tkn_flags & SMB_ATF_ADMIN) {
303 		owner_sid = smb_wka_get_sid("Administrators");
304 		assert(owner_sid);
305 	} else {
306 		owner_sid = token->tkn_user->i_sid;
307 	}
308 
309 	token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
310 #endif
311 	token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
312 }
313 
314 static smb_privset_t *
315 smb_token_create_privs(smb_token_t *token)
316 {
317 	smb_privset_t *privs;
318 	smb_giter_t gi;
319 	smb_group_t grp;
320 	int rc;
321 
322 	privs = smb_privset_new();
323 	if (privs == NULL)
324 		return (NULL);
325 
326 	if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
327 		smb_privset_free(privs);
328 		return (NULL);
329 	}
330 
331 	while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
332 		if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
333 			smb_privset_merge(privs, grp.sg_privs);
334 		smb_lgrp_free(&grp);
335 	}
336 	smb_lgrp_iterclose(&gi);
337 
338 	if (token->tkn_flags & SMB_ATF_ADMIN) {
339 		char admgrp[] = "Administrators";
340 
341 		rc = smb_lgrp_getbyname(admgrp, &grp);
342 		if (rc == SMB_LGRP_SUCCESS) {
343 			smb_privset_merge(privs, grp.sg_privs);
344 			smb_lgrp_free(&grp);
345 		}
346 
347 		/*
348 		 * This privilege is required to view/edit SACL
349 		 */
350 		smb_privset_enable(privs, SE_SECURITY_LUID);
351 	}
352 
353 	/*
354 	 * Members of "Authenticated Users" (!anon) should normally get
355 	 * "Bypass traverse checking" privilege, though we allow this
356 	 * to be disabled (see smb.4).  For historical reasons, the
357 	 * internal privilege name is "SeChangeNotifyPrivilege".
358 	 */
359 	if ((token->tkn_flags & SMB_ATF_ANON) == 0 &&
360 	    smb_config_getbool(SMB_CI_BYPASS_TRAVERSE_CHECKING))
361 		smb_privset_enable(privs, SE_CHANGE_NOTIFY_LUID);
362 
363 	return (privs);
364 }
365 
366 static void
367 smb_token_set_flags(smb_token_t *token)
368 {
369 	if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
370 		token->tkn_flags |= SMB_ATF_ADMIN;
371 
372 	if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
373 		token->tkn_flags |= SMB_ATF_POWERUSER;
374 
375 	if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
376 		token->tkn_flags |= SMB_ATF_BACKUPOP;
377 }
378 
379 /*
380  * Common token setup for both local and domain users.
381  * This function must be called after the initial setup
382  * has been done.
383  *
384  * Note that the order of calls in this function are important.
385  *
386  * Returns B_TRUE for success.
387  */
388 boolean_t
389 smb_token_setup_common(smb_token_t *token)
390 {
391 	smb_token_set_flags(token);
392 
393 	smb_token_set_owner(token);
394 	if (token->tkn_owner.i_sid == NULL)
395 		return (B_FALSE);
396 
397 	/* Privileges */
398 	token->tkn_privileges = smb_token_create_privs(token);
399 	if (token->tkn_privileges == NULL)
400 		return (B_FALSE);
401 
402 	if (smb_token_sids2ids(token) != 0) {
403 		syslog(LOG_ERR, "%s\\%s: idmap failed",
404 		    token->tkn_domain_name, token->tkn_account_name);
405 		return (B_FALSE);
406 	}
407 
408 	/* Solaris Groups */
409 	token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
410 
411 	return (smb_token_valid(token));
412 }
413 
414 uint32_t
415 smb_logon_init(void)
416 {
417 	uint32_t status;
418 
419 	(void) rw_wrlock(&smb_logoninit_rwl);
420 	status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
421 	if (status != NT_STATUS_SUCCESS) {
422 		(void) rw_unlock(&smb_logoninit_rwl);
423 		return (status);
424 	}
425 
426 	status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
427 	    &smb_domusers);
428 	if (status != NT_STATUS_SUCCESS) {
429 		smb_account_free(&smb_guest);
430 		bzero(&smb_guest, sizeof (smb_account_t));
431 		(void) rw_unlock(&smb_logoninit_rwl);
432 		return (status);
433 	}
434 
435 	(void) rw_unlock(&smb_logoninit_rwl);
436 	return (status);
437 }
438 
439 void
440 smb_logon_fini(void)
441 {
442 	(void) rw_wrlock(&smb_logoninit_rwl);
443 	smb_account_free(&smb_guest);
444 	smb_account_free(&smb_domusers);
445 	bzero(&smb_guest, sizeof (smb_account_t));
446 	bzero(&smb_domusers, sizeof (smb_account_t));
447 	(void) rw_unlock(&smb_logoninit_rwl);
448 }
449 
450 /*
451  * Perform user authentication.
452  *
453  * The dispatched functions must only update the user_info status if they
454  * attempt to authenticate the user.
455  *
456  * On success, a pointer to a new access token is returned.
457  * On failure, NULL return and status in user_info->lg_status
458  */
459 smb_token_t *
460 smb_logon(smb_logon_t *user_info)
461 {
462 	static smb_logonop_t	ops[] = {
463 		smb_logon_anon,
464 		smb_logon_local,
465 		smb_logon_domain,
466 		smb_logon_guest
467 	};
468 	smb_token_t		*token = NULL;
469 	smb_domain_t		domain;
470 	int			n_op = (sizeof (ops) / sizeof (ops[0]));
471 	int			i;
472 
473 	user_info->lg_secmode = smb_config_get_secmode();
474 
475 	if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
476 		user_info->lg_domain_type = domain.di_type;
477 	else
478 		user_info->lg_domain_type = SMB_DOMAIN_NULL;
479 
480 	if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
481 		syslog(LOG_ERR, "logon[%s\\%s]: %m",
482 		    user_info->lg_e_domain, user_info->lg_e_username);
483 		return (NULL);
484 	}
485 
486 	/*
487 	 * If any logonop function takes significant action
488 	 * (logon or authoratative failure) it will change
489 	 * this status field to something else.
490 	 */
491 	user_info->lg_status = NT_STATUS_NO_SUCH_USER;
492 	for (i = 0; i < n_op; ++i) {
493 		(*ops[i])(user_info, token);
494 
495 		if (user_info->lg_status == NT_STATUS_SUCCESS)
496 			break;
497 	}
498 
499 	if (user_info->lg_status == NT_STATUS_SUCCESS) {
500 		if (smb_token_setup_common(token))
501 			return (token); /* success */
502 		/*
503 		 * (else) smb_token_setup_common failed, which usually
504 		 * means smb_token_sids2ids() failed to map some SIDs to
505 		 * Unix IDs.  This indicates an idmap config problem.
506 		 */
507 		user_info->lg_status = NT_STATUS_INTERNAL_ERROR;
508 	}
509 
510 	smb_token_destroy(token);
511 
512 	/*
513 	 * Any unknown user or bad password should result in
514 	 * NT_STATUS_LOGON_FAILURE (so we don't give hints).
515 	 */
516 	if (user_info->lg_status == NT_STATUS_NO_SUCH_USER ||
517 	    user_info->lg_status == NT_STATUS_WRONG_PASSWORD)
518 		user_info->lg_status = NT_STATUS_LOGON_FAILURE;
519 
520 	return (NULL);
521 }
522 
523 /*
524  * If the user has an entry in the local database, attempt local authentication.
525  *
526  * In domain mode, we try to exclude domain accounts, which we do by only
527  * accepting local or null (blank) domain names here.  Some clients (Mac OS)
528  * don't always send the domain name.
529  *
530  * If we are not going to attempt authentication, this function must return
531  * without updating the status.
532  */
533 static void
534 smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
535 {
536 	char guest[SMB_USERNAME_MAXLEN];
537 	smb_passwd_t smbpw;
538 	uint32_t status;
539 
540 	if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
541 		if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
542 		    (user_info->lg_domain_type != SMB_DOMAIN_NULL))
543 			return;
544 	}
545 
546 	/*
547 	 * If the requested account name is "guest" (or whatever
548 	 * our guest account is named) then don't handle it here.
549 	 * Let this request fall through to smb_logon_guest().
550 	 */
551 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
552 	if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0)
553 		return;
554 
555 	status = smb_token_auth_local(user_info, token, &smbpw);
556 	if (status == NT_STATUS_SUCCESS)
557 		status = smb_token_setup_local(&smbpw, token);
558 
559 	user_info->lg_status = status;
560 }
561 
562 /*
563  * Guest authentication.  This may be a local guest account or the guest
564  * account may be mapped to a local account.  These accounts are regular
565  * accounts with normal password protection.
566  *
567  * Only proceed with a guest logon if previous logon options have resulted
568  * in NO_SUCH_USER.
569  *
570  * If we are not going to attempt authentication, this function must return
571  * without updating the status.
572  */
573 static void
574 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
575 {
576 	char guest[SMB_USERNAME_MAXLEN];
577 	smb_passwd_t smbpw;
578 	char *temp;
579 
580 	if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
581 		return;
582 
583 	/* Get the name of the guest account. */
584 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
585 
586 	/* Does the guest account exist? */
587 	if (smb_pwd_getpwnam(guest, &smbpw) == NULL)
588 		return;
589 
590 	/* Is it enabled? (empty p/w is OK) */
591 	if (smbpw.pw_flags & SMB_PWF_DISABLE)
592 		return;
593 
594 	/*
595 	 * OK, give the client a guest logon.  Note that on entry,
596 	 * lg_e_username is typically something other than "guest"
597 	 * so we need to set the effective username when createing
598 	 * the guest token.
599 	 */
600 	temp = user_info->lg_e_username;
601 	user_info->lg_e_username = guest;
602 	user_info->lg_status = smb_token_setup_guest(user_info, token);
603 	user_info->lg_e_username = temp;
604 }
605 
606 /*
607  * If user_info represents an anonymous user then setup the token.
608  * Otherwise return without updating the status.
609  */
610 static void
611 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
612 {
613 	if (user_info->lg_flags & SMB_ATF_ANON)
614 		user_info->lg_status = smb_token_setup_anon(token);
615 }
616 
617 /*
618  * Try both LM hash and NT hashes with user's password(s) to authenticate
619  * the user.
620  */
621 static uint32_t
622 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
623     smb_passwd_t *smbpw)
624 {
625 	boolean_t ok;
626 	uint32_t status = NT_STATUS_SUCCESS;
627 
628 	if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
629 		return (NT_STATUS_NO_SUCH_USER);
630 
631 	if (smbpw->pw_flags & SMB_PWF_DISABLE)
632 		return (NT_STATUS_ACCOUNT_DISABLED);
633 
634 	if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) {
635 		/*
636 		 * The SMB passwords have not been set.
637 		 * Return an error that suggests the
638 		 * password needs to be set.
639 		 */
640 		return (NT_STATUS_PASSWORD_EXPIRED);
641 	}
642 
643 	token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ);
644 	if (token->tkn_ssnkey.val == NULL)
645 		return (NT_STATUS_NO_MEMORY);
646 	token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
647 
648 	ok = smb_auth_validate(
649 	    smbpw,
650 	    user_info->lg_domain,
651 	    user_info->lg_username,
652 	    user_info->lg_challenge_key.val,
653 	    user_info->lg_challenge_key.len,
654 	    user_info->lg_nt_password.val,
655 	    user_info->lg_nt_password.len,
656 	    user_info->lg_lm_password.val,
657 	    user_info->lg_lm_password.len,
658 	    token->tkn_ssnkey.val);
659 	if (ok)
660 		return (NT_STATUS_SUCCESS);
661 
662 	free(token->tkn_ssnkey.val);
663 	token->tkn_ssnkey.val = NULL;
664 	token->tkn_ssnkey.len = 0;
665 
666 	status = NT_STATUS_WRONG_PASSWORD;
667 	syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
668 	    user_info->lg_e_domain, user_info->lg_e_username,
669 	    xlate_nt_status(status));
670 
671 	return (status);
672 }
673 
674 /*
675  * Setup an access token for the specified local user.
676  */
677 static uint32_t
678 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
679 {
680 	idmap_stat stat;
681 	smb_idmap_batch_t sib;
682 	smb_idmap_t *umap, *gmap;
683 	struct passwd pw;
684 	char pwbuf[1024];
685 	char nbname[NETBIOS_NAME_SZ];
686 
687 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
688 	token->tkn_account_name = strdup(smbpw->pw_name);
689 	token->tkn_domain_name = strdup(nbname);
690 
691 	if (token->tkn_account_name == NULL ||
692 	    token->tkn_domain_name == NULL)
693 		return (NT_STATUS_NO_MEMORY);
694 
695 	if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
696 		return (NT_STATUS_NO_SUCH_USER);
697 
698 	/* Get the SID for user's uid & gid */
699 	stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
700 	if (stat != IDMAP_SUCCESS)
701 		return (NT_STATUS_INTERNAL_ERROR);
702 
703 	umap = &sib.sib_maps[0];
704 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
705 	    SMB_IDMAP_USER);
706 
707 	if (stat != IDMAP_SUCCESS) {
708 		smb_idmap_batch_destroy(&sib);
709 		return (NT_STATUS_INTERNAL_ERROR);
710 	}
711 
712 	gmap = &sib.sib_maps[1];
713 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
714 	    SMB_IDMAP_GROUP);
715 
716 	if (stat != IDMAP_SUCCESS) {
717 		smb_idmap_batch_destroy(&sib);
718 		return (NT_STATUS_INTERNAL_ERROR);
719 	}
720 
721 	/* No error CB.  Report errors below. */
722 	stat = smb_idmap_batch_getmappings(&sib, NULL);
723 
724 	if (stat != IDMAP_SUCCESS) {
725 		syslog(LOG_NOTICE, "logon[%s\\%s]: Can't get SID for "
726 		    "primary GID or UID",
727 		    nbname, smbpw->pw_name);
728 		smb_idmap_batch_destroy(&sib);
729 		return (NT_STATUS_INTERNAL_ERROR);
730 	}
731 
732 	token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
733 	token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
734 
735 	smb_idmap_batch_destroy(&sib);
736 
737 	if (token->tkn_user.i_sid == NULL ||
738 	    token->tkn_primary_grp.i_sid == NULL)
739 		return (NT_STATUS_NO_MEMORY);
740 
741 	return (smb_token_setup_wingrps(token));
742 }
743 
744 /*
745  * Setup access token for guest connections
746  */
747 static uint32_t
748 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
749 {
750 	token->tkn_account_name = strdup(user_info->lg_e_username);
751 
752 	(void) rw_rdlock(&smb_logoninit_rwl);
753 	token->tkn_domain_name = strdup(smb_guest.a_domain);
754 	token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
755 	token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
756 	(void) rw_unlock(&smb_logoninit_rwl);
757 	token->tkn_flags = SMB_ATF_GUEST;
758 
759 	/*
760 	 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the
761 	 * Client":
762 	 * The 'SessionBaseKey' for Guests is 16-bytes of 0s.
763 	 */
764 	token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ);
765 
766 	if (token->tkn_account_name == NULL ||
767 	    token->tkn_domain_name == NULL ||
768 	    token->tkn_user.i_sid == NULL ||
769 	    token->tkn_primary_grp.i_sid == NULL ||
770 	    token->tkn_ssnkey.val == NULL)
771 		return (NT_STATUS_NO_MEMORY);
772 
773 	token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
774 	return (smb_token_setup_wingrps(token));
775 }
776 
777 /*
778  * Setup access token for anonymous connections
779  */
780 static uint32_t
781 smb_token_setup_anon(smb_token_t *token)
782 {
783 	smb_sid_t *user_sid;
784 
785 	token->tkn_account_name = strdup("Anonymous");
786 	token->tkn_domain_name = strdup("NT Authority");
787 	user_sid = smb_wka_get_sid("Anonymous");
788 	token->tkn_user.i_sid = smb_sid_dup(user_sid);
789 	token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
790 	token->tkn_flags = SMB_ATF_ANON;
791 
792 	/*
793 	 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the
794 	 * Client":
795 	 * The 'SessionBaseKey' for Anonymous users is 16-bytes of 0s.
796 	 */
797 	token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ);
798 
799 	if (token->tkn_account_name == NULL ||
800 	    token->tkn_domain_name == NULL ||
801 	    token->tkn_user.i_sid == NULL ||
802 	    token->tkn_primary_grp.i_sid == NULL ||
803 	    token->tkn_ssnkey.val == NULL)
804 		return (NT_STATUS_NO_MEMORY);
805 
806 	token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
807 	return (smb_token_setup_wingrps(token));
808 }
809 
810 /*
811  * smb_token_user_sid
812  *
813  * Return a pointer to the user SID in the specified token. A null
814  * pointer indicates an error.
815  */
816 static smb_sid_t *
817 smb_token_user_sid(smb_token_t *token)
818 {
819 	return ((token) ? token->tkn_user.i_sid : NULL);
820 }
821 
822 /*
823  * smb_token_group_sid
824  *
825  * Return a pointer to the group SID as indicated by the iterator.
826  * Setting the iterator to 0 before calling this function will return
827  * the first group, which will always be the primary group. The
828  * iterator will be incremented before returning the SID so that this
829  * function can be used to cycle through the groups. The caller can
830  * adjust the iterator as required between calls to obtain any specific
831  * group.
832  *
833  * On success a pointer to the appropriate group SID will be returned.
834  * Otherwise a null pointer will be returned.
835  */
836 static smb_sid_t *
837 smb_token_group_sid(smb_token_t *token, int *iterator)
838 {
839 	int index;
840 
841 	if (token == NULL || iterator == NULL)
842 		return (NULL);
843 
844 	if (token->tkn_win_grps.i_ids == NULL)
845 		return (NULL);
846 
847 	index = *iterator;
848 
849 	if (index < 0 || index >= token->tkn_win_grps.i_cnt)
850 		return (NULL);
851 
852 	++(*iterator);
853 	return (token->tkn_win_grps.i_ids[index].i_sid);
854 }
855 
856 /*
857  * smb_token_is_member
858  *
859  * This function will determine whether or not the specified SID is a
860  * member of a token. The user SID and all group SIDs are tested.
861  * Returns 1 if the SID is a member of the token. Otherwise returns 0.
862  */
863 static boolean_t
864 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
865 {
866 	smb_sid_t *tsid;
867 	int iterator = 0;
868 
869 	if (token == NULL || sid == NULL)
870 		return (B_FALSE);
871 
872 	tsid = smb_token_user_sid(token);
873 	while (tsid) {
874 		if (smb_sid_cmp(tsid, sid))
875 			return (B_TRUE);
876 
877 		tsid = smb_token_group_sid(token, &iterator);
878 	}
879 
880 	return (B_FALSE);
881 }
882 
883 /*
884  * smb_token_log
885  *
886  * Diagnostic routine to write the contents of a token to the log.
887  */
888 void
889 smb_token_log(smb_token_t *token)
890 {
891 	smb_ids_t *w_grps;
892 	smb_id_t *grp;
893 	smb_posix_grps_t *x_grps;
894 	char sidstr[SMB_SID_STRSZ];
895 	int i;
896 
897 	if (token == NULL)
898 		return;
899 
900 	syslog(LOG_DEBUG, "Token for %s\\%s",
901 	    (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
902 	    (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
903 
904 	syslog(LOG_DEBUG, "   User->Attr: %d", token->tkn_user.i_attrs);
905 	smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
906 	syslog(LOG_DEBUG, "   User->Sid: %s (id=%u)", sidstr,
907 	    token->tkn_user.i_id);
908 
909 	smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
910 	syslog(LOG_DEBUG, "   Ownr->Sid: %s (id=%u)",
911 	    sidstr, token->tkn_owner.i_id);
912 
913 	smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
914 	syslog(LOG_DEBUG, "   PGrp->Sid: %s (id=%u)",
915 	    sidstr, token->tkn_primary_grp.i_id);
916 
917 	w_grps = &token->tkn_win_grps;
918 	if (w_grps->i_ids) {
919 		syslog(LOG_DEBUG, "   Windows groups: %d", w_grps->i_cnt);
920 		grp = w_grps->i_ids;
921 		for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
922 			syslog(LOG_DEBUG,
923 			    "    Grp[%d].Attr:%d", i, grp->i_attrs);
924 			if (grp->i_sid != NULL) {
925 				smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
926 				syslog(LOG_DEBUG,
927 				    "    Grp[%d].Sid: %s (id=%u)", i, sidstr,
928 				    grp->i_id);
929 			}
930 		}
931 	} else {
932 		syslog(LOG_DEBUG, "   No Windows groups");
933 	}
934 
935 	x_grps = token->tkn_posix_grps;
936 	if (x_grps) {
937 		syslog(LOG_DEBUG, "   Solaris groups: %d", x_grps->pg_ngrps);
938 		for (i = 0; i < x_grps->pg_ngrps; i++)
939 			syslog(LOG_DEBUG, "    %u", x_grps->pg_grps[i]);
940 	} else {
941 		syslog(LOG_DEBUG, "   No Solaris groups");
942 	}
943 
944 	if (token->tkn_privileges)
945 		smb_privset_log(token->tkn_privileges);
946 	else
947 		syslog(LOG_DEBUG, "   No privileges");
948 }
949 
950 /*
951  * Sets up local and well-known group membership for the given
952  * token. Two assumptions have been made here:
953  *
954  *   a) token already contains a valid user SID so that group
955  *      memberships can be established
956  *
957  *   b) token belongs to a local or anonymous user
958  */
959 static uint32_t
960 smb_token_setup_wingrps(smb_token_t *token)
961 {
962 	smb_ids_t tkn_grps;
963 	uint32_t status;
964 
965 
966 	/*
967 	 * We always want the user's primary group in the list
968 	 * of groups.
969 	 */
970 	tkn_grps.i_cnt = 1;
971 	if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
972 		return (NT_STATUS_NO_MEMORY);
973 
974 	tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
975 	tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
976 	if (tkn_grps.i_ids->i_sid == NULL) {
977 		smb_ids_free(&tkn_grps);
978 		return (NT_STATUS_NO_MEMORY);
979 	}
980 
981 	status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
982 	if (status != NT_STATUS_SUCCESS) {
983 		smb_ids_free(&tkn_grps);
984 		return (status);
985 	}
986 
987 	status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
988 	if (status != NT_STATUS_SUCCESS) {
989 		smb_ids_free(&tkn_grps);
990 		return (status);
991 	}
992 
993 	token->tkn_win_grps = tkn_grps;
994 	return (status);
995 }
996 
997 /*
998  * Returns the guest account name in the provided buffer.
999  *
1000  * By default the name would be "guest" unless there's
1001  * a idmap name-based rule which maps the guest to a local
1002  * Solaris user in which case the name of that user is
1003  * returned.
1004  */
1005 static void
1006 smb_guest_account(char *guest, size_t buflen)
1007 {
1008 	idmap_stat stat;
1009 	uid_t guest_uid;
1010 	struct passwd pw;
1011 	char pwbuf[1024];
1012 	int idtype;
1013 
1014 	/* default Guest account name */
1015 	(void) rw_rdlock(&smb_logoninit_rwl);
1016 	(void) strlcpy(guest, smb_guest.a_name, buflen);
1017 
1018 	idtype = SMB_IDMAP_USER;
1019 	stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
1020 	(void) rw_unlock(&smb_logoninit_rwl);
1021 
1022 	if (stat != IDMAP_SUCCESS)
1023 		return;
1024 
1025 	/* If Ephemeral ID return the default name */
1026 	if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
1027 		return;
1028 
1029 	if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
1030 		return;
1031 
1032 	(void) strlcpy(guest, pw.pw_name, buflen);
1033 }
1034