1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2016 by Delphix. All rights reserved. 24 * Copyright 2018 Nexenta Systems, Inc. All rights reserved. 25 * Copyright 2023 RackTop Systems, Inc. 26 */ 27 28 #include <unistd.h> 29 #include <strings.h> 30 #include <pwd.h> 31 #include <grp.h> 32 #include <time.h> 33 #include <syslog.h> 34 #include <assert.h> 35 #include <synch.h> 36 37 #include <smbsrv/libsmb.h> 38 #include <smbsrv/libmlsvc.h> 39 40 #include <smbsrv/smbinfo.h> 41 #include <smbsrv/smb_token.h> 42 #include <lsalib.h> 43 44 static smb_account_t smb_guest; 45 static smb_account_t smb_domusers; 46 static rwlock_t smb_logoninit_rwl; 47 48 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *); 49 50 static void smb_logon_local(smb_logon_t *, smb_token_t *); 51 static void smb_logon_guest(smb_logon_t *, smb_token_t *); 52 static void smb_logon_anon(smb_logon_t *, smb_token_t *); 53 54 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *, 55 smb_passwd_t *); 56 57 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 58 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *); 59 static uint32_t smb_token_setup_anon(smb_token_t *token); 60 61 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 62 static uint32_t smb_token_setup_wingrps(smb_token_t *); 63 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 64 65 static void smb_guest_account(char *, size_t); 66 67 /* Consolidation private function from Network Repository */ 68 extern int _getgroupsbymember(const char *, gid_t[], int, int); 69 70 static idmap_stat 71 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 72 { 73 idmap_stat stat; 74 smb_idmap_t *sim; 75 smb_id_t *id; 76 int i; 77 78 if (!token || !sib) 79 return (IDMAP_ERR_ARG); 80 81 sim = sib->sib_maps; 82 83 if (token->tkn_flags & SMB_ATF_ANON) { 84 token->tkn_user.i_id = UID_NOBODY; 85 token->tkn_owner.i_id = UID_NOBODY; 86 } else { 87 /* User SID */ 88 id = &token->tkn_user; 89 sim->sim_id = &id->i_id; 90 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 91 id->i_sid, SMB_IDMAP_USER); 92 93 if (stat != IDMAP_SUCCESS) 94 return (stat); 95 96 /* Owner SID */ 97 id = &token->tkn_owner; 98 sim->sim_id = &id->i_id; 99 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 100 id->i_sid, SMB_IDMAP_USER); 101 102 if (stat != IDMAP_SUCCESS) 103 return (stat); 104 } 105 106 /* Primary Group SID */ 107 id = &token->tkn_primary_grp; 108 sim->sim_id = &id->i_id; 109 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 110 SMB_IDMAP_GROUP); 111 112 if (stat != IDMAP_SUCCESS) 113 return (stat); 114 115 /* Other Windows Group SIDs */ 116 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 117 id = &token->tkn_win_grps.i_ids[i]; 118 sim->sim_id = &id->i_id; 119 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 120 id->i_sid, SMB_IDMAP_GROUP); 121 122 if (stat != IDMAP_SUCCESS) 123 break; 124 } 125 126 return (stat); 127 } 128 129 /* 130 * Custom error callback for smb_token_sids2ids 131 */ 132 static void 133 smb_token_bgm_error(smb_idmap_batch_t *sib, smb_idmap_t *sim) 134 { 135 syslog(LOG_INFO, "smb_token_sids2ids: Can't get ID for " 136 "SID %s-%u, status=%d", 137 sim->sim_domsid, sim->sim_rid, sim->sim_stat); 138 } 139 140 /* 141 * smb_token_sids2ids 142 * 143 * This will map all the SIDs of the access token to UIDs/GIDs. 144 * However, if there are some SIDs we can't map to UIDs/GIDs, 145 * we don't want to fail the logon, and instead just log the 146 * SIDs we could not map and continue as best we can. 147 * The flag SMB_IDMAP_SKIP_ERRS below does that. 148 * 149 * Returns 0 upon success. Otherwise, returns -1. 150 */ 151 static int 152 smb_token_sids2ids(smb_token_t *token) 153 { 154 idmap_stat stat; 155 int nmaps; 156 smb_idmap_batch_t sib; 157 158 /* 159 * Number of idmap lookups: user SID, owner SID, primary group SID, 160 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 161 */ 162 if (token->tkn_flags & SMB_ATF_ANON) 163 nmaps = token->tkn_win_grps.i_cnt + 1; 164 else 165 nmaps = token->tkn_win_grps.i_cnt + 3; 166 167 stat = smb_idmap_batch_create(&sib, nmaps, 168 SMB_IDMAP_SID2ID | SMB_IDMAP_SKIP_ERRS); 169 if (stat != IDMAP_SUCCESS) 170 return (-1); 171 172 stat = smb_token_idmap(token, &sib); 173 if (stat != IDMAP_SUCCESS) { 174 smb_idmap_batch_destroy(&sib); 175 return (-1); 176 } 177 178 /* Custom error CB here. */ 179 stat = smb_idmap_batch_getmappings(&sib, smb_token_bgm_error); 180 if (sib.sib_nerr != 0) { 181 syslog(LOG_DEBUG, "Token for user \"%s\\%s\" has " 182 "%d SIDs that could not be mapped to IDs", 183 (token->tkn_domain_name) ? 184 token->tkn_domain_name : "?", 185 (token->tkn_account_name) ? 186 token->tkn_account_name : "?", 187 sib.sib_nerr); 188 } 189 190 smb_idmap_batch_destroy(&sib); 191 192 return (stat == IDMAP_SUCCESS ? 0 : -1); 193 } 194 195 /* 196 * smb_token_create_pxgrps 197 * 198 * Setup the POSIX group membership of the access token if the given UID is 199 * a POSIX UID (non-ephemeral). Both the user's primary group and 200 * supplementary groups will be added to the POSIX group array of the access 201 * token. 202 */ 203 static smb_posix_grps_t * 204 smb_token_create_pxgrps(uid_t uid) 205 { 206 struct passwd *pwd; 207 smb_posix_grps_t *pgrps; 208 int ngroups_max, num; 209 gid_t *gids; 210 211 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 212 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 213 return (NULL); 214 } 215 216 pwd = getpwuid(uid); 217 if (pwd == NULL) { 218 pgrps = malloc(sizeof (smb_posix_grps_t)); 219 if (pgrps == NULL) 220 return (NULL); 221 222 pgrps->pg_ngrps = 0; 223 return (pgrps); 224 } 225 226 if (pwd->pw_name == NULL) { 227 pgrps = malloc(sizeof (smb_posix_grps_t)); 228 if (pgrps == NULL) 229 return (NULL); 230 231 pgrps->pg_ngrps = 1; 232 pgrps->pg_grps[0] = pwd->pw_gid; 233 return (pgrps); 234 } 235 236 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 237 if (gids == NULL) { 238 return (NULL); 239 } 240 bzero(gids, ngroups_max * sizeof (gid_t)); 241 242 gids[0] = pwd->pw_gid; 243 244 /* 245 * Setup the groups starting at index 1 (the last arg) 246 * of gids array. 247 */ 248 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 249 250 if (num == -1) { 251 syslog(LOG_ERR, "smb_logon: unable " 252 "to get user's supplementary groups"); 253 num = 1; 254 } 255 256 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 257 if (pgrps) { 258 pgrps->pg_ngrps = num; 259 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 260 } 261 262 free(gids); 263 return (pgrps); 264 } 265 266 /* 267 * smb_token_destroy 268 * 269 * Release all of the memory associated with a token structure. Ensure 270 * that the token has been unlinked before calling. 271 */ 272 void 273 smb_token_destroy(smb_token_t *token) 274 { 275 if (token != NULL) { 276 smb_sid_free(token->tkn_user.i_sid); 277 smb_sid_free(token->tkn_owner.i_sid); 278 smb_sid_free(token->tkn_primary_grp.i_sid); 279 smb_ids_free(&token->tkn_win_grps); 280 smb_privset_free(token->tkn_privileges); 281 free(token->tkn_posix_grps); 282 free(token->tkn_account_name); 283 free(token->tkn_domain_name); 284 free(token->tkn_ssnkey.val); 285 bzero(token, sizeof (smb_token_t)); 286 free(token); 287 } 288 } 289 290 /* 291 * Token owner should be set to local Administrators group 292 * in two cases: 293 * 1. The logged on user is a member of Domain Admins group 294 * 2. They are a member of local Administrators group 295 */ 296 static void 297 smb_token_set_owner(smb_token_t *token) 298 { 299 #ifdef SMB_SUPPORT_GROUP_OWNER 300 smb_sid_t *owner_sid; 301 302 if (token->tkn_flags & SMB_ATF_ADMIN) { 303 owner_sid = smb_wka_get_sid("Administrators"); 304 assert(owner_sid); 305 } else { 306 owner_sid = token->tkn_user->i_sid; 307 } 308 309 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 310 #endif 311 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 312 } 313 314 static smb_privset_t * 315 smb_token_create_privs(smb_token_t *token) 316 { 317 smb_privset_t *privs; 318 smb_giter_t gi; 319 smb_group_t grp; 320 int rc; 321 322 privs = smb_privset_new(); 323 if (privs == NULL) 324 return (NULL); 325 326 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 327 smb_privset_free(privs); 328 return (NULL); 329 } 330 331 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 332 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 333 smb_privset_merge(privs, grp.sg_privs); 334 smb_lgrp_free(&grp); 335 } 336 smb_lgrp_iterclose(&gi); 337 338 if (token->tkn_flags & SMB_ATF_ADMIN) { 339 char admgrp[] = "Administrators"; 340 341 rc = smb_lgrp_getbyname(admgrp, &grp); 342 if (rc == SMB_LGRP_SUCCESS) { 343 smb_privset_merge(privs, grp.sg_privs); 344 smb_lgrp_free(&grp); 345 } 346 347 /* 348 * This privilege is required to view/edit SACL 349 */ 350 smb_privset_enable(privs, SE_SECURITY_LUID); 351 } 352 353 /* 354 * Members of "Authenticated Users" (!anon) should normally get 355 * "Bypass traverse checking" privilege, though we allow this 356 * to be disabled (see smb.4). For historical reasons, the 357 * internal privilege name is "SeChangeNotifyPrivilege". 358 */ 359 if ((token->tkn_flags & SMB_ATF_ANON) == 0 && 360 smb_config_getbool(SMB_CI_BYPASS_TRAVERSE_CHECKING)) 361 smb_privset_enable(privs, SE_CHANGE_NOTIFY_LUID); 362 363 return (privs); 364 } 365 366 static void 367 smb_token_set_flags(smb_token_t *token) 368 { 369 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 370 token->tkn_flags |= SMB_ATF_ADMIN; 371 372 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 373 token->tkn_flags |= SMB_ATF_POWERUSER; 374 375 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 376 token->tkn_flags |= SMB_ATF_BACKUPOP; 377 } 378 379 /* 380 * Common token setup for both local and domain users. 381 * This function must be called after the initial setup 382 * has been done. 383 * 384 * Note that the order of calls in this function are important. 385 * 386 * Returns B_TRUE for success. 387 */ 388 boolean_t 389 smb_token_setup_common(smb_token_t *token) 390 { 391 smb_token_set_flags(token); 392 393 smb_token_set_owner(token); 394 if (token->tkn_owner.i_sid == NULL) 395 return (B_FALSE); 396 397 /* Privileges */ 398 token->tkn_privileges = smb_token_create_privs(token); 399 if (token->tkn_privileges == NULL) 400 return (B_FALSE); 401 402 if (smb_token_sids2ids(token) != 0) { 403 syslog(LOG_ERR, "%s\\%s: idmap failed", 404 token->tkn_domain_name, token->tkn_account_name); 405 return (B_FALSE); 406 } 407 408 /* Solaris Groups */ 409 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 410 411 return (smb_token_valid(token)); 412 } 413 414 uint32_t 415 smb_logon_init(void) 416 { 417 uint32_t status; 418 419 (void) rw_wrlock(&smb_logoninit_rwl); 420 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest); 421 if (status != NT_STATUS_SUCCESS) { 422 (void) rw_unlock(&smb_logoninit_rwl); 423 return (status); 424 } 425 426 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup, 427 &smb_domusers); 428 if (status != NT_STATUS_SUCCESS) { 429 smb_account_free(&smb_guest); 430 bzero(&smb_guest, sizeof (smb_account_t)); 431 (void) rw_unlock(&smb_logoninit_rwl); 432 return (status); 433 } 434 435 (void) rw_unlock(&smb_logoninit_rwl); 436 return (status); 437 } 438 439 void 440 smb_logon_fini(void) 441 { 442 (void) rw_wrlock(&smb_logoninit_rwl); 443 smb_account_free(&smb_guest); 444 smb_account_free(&smb_domusers); 445 bzero(&smb_guest, sizeof (smb_account_t)); 446 bzero(&smb_domusers, sizeof (smb_account_t)); 447 (void) rw_unlock(&smb_logoninit_rwl); 448 } 449 450 /* 451 * Perform user authentication. 452 * 453 * The dispatched functions must only update the user_info status if they 454 * attempt to authenticate the user. 455 * 456 * On success, a pointer to a new access token is returned. 457 * On failure, NULL return and status in user_info->lg_status 458 */ 459 smb_token_t * 460 smb_logon(smb_logon_t *user_info) 461 { 462 static smb_logonop_t ops[] = { 463 smb_logon_anon, 464 smb_logon_local, 465 smb_logon_domain, 466 smb_logon_guest 467 }; 468 smb_token_t *token = NULL; 469 smb_domain_t domain; 470 int n_op = (sizeof (ops) / sizeof (ops[0])); 471 int i; 472 473 user_info->lg_secmode = smb_config_get_secmode(); 474 475 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain)) 476 user_info->lg_domain_type = domain.di_type; 477 else 478 user_info->lg_domain_type = SMB_DOMAIN_NULL; 479 480 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) { 481 syslog(LOG_ERR, "logon[%s\\%s]: %m", 482 user_info->lg_e_domain, user_info->lg_e_username); 483 return (NULL); 484 } 485 486 /* 487 * If any logonop function takes significant action 488 * (logon or authoratative failure) it will change 489 * this status field to something else. 490 */ 491 user_info->lg_status = NT_STATUS_NO_SUCH_USER; 492 for (i = 0; i < n_op; ++i) { 493 (*ops[i])(user_info, token); 494 495 if (user_info->lg_status == NT_STATUS_SUCCESS) 496 break; 497 } 498 499 if (user_info->lg_status == NT_STATUS_SUCCESS) { 500 if (smb_token_setup_common(token)) 501 return (token); /* success */ 502 /* 503 * (else) smb_token_setup_common failed, which usually 504 * means smb_token_sids2ids() failed to map some SIDs to 505 * Unix IDs. This indicates an idmap config problem. 506 */ 507 user_info->lg_status = NT_STATUS_INTERNAL_ERROR; 508 } 509 510 smb_token_destroy(token); 511 512 /* 513 * Any unknown user or bad password should result in 514 * NT_STATUS_LOGON_FAILURE (so we don't give hints). 515 */ 516 if (user_info->lg_status == NT_STATUS_NO_SUCH_USER || 517 user_info->lg_status == NT_STATUS_WRONG_PASSWORD) 518 user_info->lg_status = NT_STATUS_LOGON_FAILURE; 519 520 return (NULL); 521 } 522 523 /* 524 * If the user has an entry in the local database, attempt local authentication. 525 * 526 * In domain mode, we try to exclude domain accounts, which we do by only 527 * accepting local or null (blank) domain names here. Some clients (Mac OS) 528 * don't always send the domain name. 529 * 530 * If we are not going to attempt authentication, this function must return 531 * without updating the status. 532 */ 533 static void 534 smb_logon_local(smb_logon_t *user_info, smb_token_t *token) 535 { 536 char guest[SMB_USERNAME_MAXLEN]; 537 smb_passwd_t smbpw; 538 uint32_t status; 539 540 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) { 541 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) && 542 (user_info->lg_domain_type != SMB_DOMAIN_NULL)) 543 return; 544 } 545 546 /* 547 * If the requested account name is "guest" (or whatever 548 * our guest account is named) then don't handle it here. 549 * Let this request fall through to smb_logon_guest(). 550 */ 551 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 552 if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0) 553 return; 554 555 status = smb_token_auth_local(user_info, token, &smbpw); 556 if (status == NT_STATUS_SUCCESS) 557 status = smb_token_setup_local(&smbpw, token); 558 559 user_info->lg_status = status; 560 } 561 562 /* 563 * Guest authentication. This may be a local guest account or the guest 564 * account may be mapped to a local account. These accounts are regular 565 * accounts with normal password protection. 566 * 567 * Only proceed with a guest logon if previous logon options have resulted 568 * in NO_SUCH_USER. 569 * 570 * If we are not going to attempt authentication, this function must return 571 * without updating the status. 572 */ 573 static void 574 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token) 575 { 576 char guest[SMB_USERNAME_MAXLEN]; 577 smb_passwd_t smbpw; 578 char *temp; 579 580 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER) 581 return; 582 583 /* Get the name of the guest account. */ 584 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 585 586 /* Does the guest account exist? */ 587 if (smb_pwd_getpwnam(guest, &smbpw) == NULL) 588 return; 589 590 /* Is it enabled? (empty p/w is OK) */ 591 if (smbpw.pw_flags & SMB_PWF_DISABLE) 592 return; 593 594 /* 595 * OK, give the client a guest logon. Note that on entry, 596 * lg_e_username is typically something other than "guest" 597 * so we need to set the effective username when createing 598 * the guest token. 599 */ 600 temp = user_info->lg_e_username; 601 user_info->lg_e_username = guest; 602 user_info->lg_status = smb_token_setup_guest(user_info, token); 603 user_info->lg_e_username = temp; 604 } 605 606 /* 607 * If user_info represents an anonymous user then setup the token. 608 * Otherwise return without updating the status. 609 */ 610 static void 611 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token) 612 { 613 if (user_info->lg_flags & SMB_ATF_ANON) 614 user_info->lg_status = smb_token_setup_anon(token); 615 } 616 617 /* 618 * Try both LM hash and NT hashes with user's password(s) to authenticate 619 * the user. 620 */ 621 static uint32_t 622 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token, 623 smb_passwd_t *smbpw) 624 { 625 boolean_t ok; 626 uint32_t status = NT_STATUS_SUCCESS; 627 628 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL) 629 return (NT_STATUS_NO_SUCH_USER); 630 631 if (smbpw->pw_flags & SMB_PWF_DISABLE) 632 return (NT_STATUS_ACCOUNT_DISABLED); 633 634 if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) { 635 /* 636 * The SMB passwords have not been set. 637 * Return an error that suggests the 638 * password needs to be set. 639 */ 640 return (NT_STATUS_PASSWORD_EXPIRED); 641 } 642 643 token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ); 644 if (token->tkn_ssnkey.val == NULL) 645 return (NT_STATUS_NO_MEMORY); 646 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 647 648 ok = smb_auth_validate( 649 smbpw, 650 user_info->lg_domain, 651 user_info->lg_username, 652 user_info->lg_challenge_key.val, 653 user_info->lg_challenge_key.len, 654 user_info->lg_nt_password.val, 655 user_info->lg_nt_password.len, 656 user_info->lg_lm_password.val, 657 user_info->lg_lm_password.len, 658 token->tkn_ssnkey.val); 659 if (ok) 660 return (NT_STATUS_SUCCESS); 661 662 free(token->tkn_ssnkey.val); 663 token->tkn_ssnkey.val = NULL; 664 token->tkn_ssnkey.len = 0; 665 666 status = NT_STATUS_WRONG_PASSWORD; 667 syslog(LOG_NOTICE, "logon[%s\\%s]: %s", 668 user_info->lg_e_domain, user_info->lg_e_username, 669 xlate_nt_status(status)); 670 671 return (status); 672 } 673 674 /* 675 * Setup an access token for the specified local user. 676 */ 677 static uint32_t 678 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 679 { 680 idmap_stat stat; 681 smb_idmap_batch_t sib; 682 smb_idmap_t *umap, *gmap; 683 struct passwd pw; 684 char pwbuf[1024]; 685 char nbname[NETBIOS_NAME_SZ]; 686 687 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 688 token->tkn_account_name = strdup(smbpw->pw_name); 689 token->tkn_domain_name = strdup(nbname); 690 691 if (token->tkn_account_name == NULL || 692 token->tkn_domain_name == NULL) 693 return (NT_STATUS_NO_MEMORY); 694 695 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 696 return (NT_STATUS_NO_SUCH_USER); 697 698 /* Get the SID for user's uid & gid */ 699 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 700 if (stat != IDMAP_SUCCESS) 701 return (NT_STATUS_INTERNAL_ERROR); 702 703 umap = &sib.sib_maps[0]; 704 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 705 SMB_IDMAP_USER); 706 707 if (stat != IDMAP_SUCCESS) { 708 smb_idmap_batch_destroy(&sib); 709 return (NT_STATUS_INTERNAL_ERROR); 710 } 711 712 gmap = &sib.sib_maps[1]; 713 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 714 SMB_IDMAP_GROUP); 715 716 if (stat != IDMAP_SUCCESS) { 717 smb_idmap_batch_destroy(&sib); 718 return (NT_STATUS_INTERNAL_ERROR); 719 } 720 721 /* No error CB. Report errors below. */ 722 stat = smb_idmap_batch_getmappings(&sib, NULL); 723 724 if (stat != IDMAP_SUCCESS) { 725 syslog(LOG_NOTICE, "logon[%s\\%s]: Can't get SID for " 726 "primary GID or UID", 727 nbname, smbpw->pw_name); 728 smb_idmap_batch_destroy(&sib); 729 return (NT_STATUS_INTERNAL_ERROR); 730 } 731 732 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 733 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 734 735 smb_idmap_batch_destroy(&sib); 736 737 if (token->tkn_user.i_sid == NULL || 738 token->tkn_primary_grp.i_sid == NULL) 739 return (NT_STATUS_NO_MEMORY); 740 741 return (smb_token_setup_wingrps(token)); 742 } 743 744 /* 745 * Setup access token for guest connections 746 */ 747 static uint32_t 748 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token) 749 { 750 token->tkn_account_name = strdup(user_info->lg_e_username); 751 752 (void) rw_rdlock(&smb_logoninit_rwl); 753 token->tkn_domain_name = strdup(smb_guest.a_domain); 754 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid); 755 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid); 756 (void) rw_unlock(&smb_logoninit_rwl); 757 token->tkn_flags = SMB_ATF_GUEST; 758 759 /* 760 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the 761 * Client": 762 * The 'SessionBaseKey' for Guests is 16-bytes of 0s. 763 */ 764 token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ); 765 766 if (token->tkn_account_name == NULL || 767 token->tkn_domain_name == NULL || 768 token->tkn_user.i_sid == NULL || 769 token->tkn_primary_grp.i_sid == NULL || 770 token->tkn_ssnkey.val == NULL) 771 return (NT_STATUS_NO_MEMORY); 772 773 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 774 return (smb_token_setup_wingrps(token)); 775 } 776 777 /* 778 * Setup access token for anonymous connections 779 */ 780 static uint32_t 781 smb_token_setup_anon(smb_token_t *token) 782 { 783 smb_sid_t *user_sid; 784 785 token->tkn_account_name = strdup("Anonymous"); 786 token->tkn_domain_name = strdup("NT Authority"); 787 user_sid = smb_wka_get_sid("Anonymous"); 788 token->tkn_user.i_sid = smb_sid_dup(user_sid); 789 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 790 token->tkn_flags = SMB_ATF_ANON; 791 792 /* 793 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the 794 * Client": 795 * The 'SessionBaseKey' for Anonymous users is 16-bytes of 0s. 796 */ 797 token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ); 798 799 if (token->tkn_account_name == NULL || 800 token->tkn_domain_name == NULL || 801 token->tkn_user.i_sid == NULL || 802 token->tkn_primary_grp.i_sid == NULL || 803 token->tkn_ssnkey.val == NULL) 804 return (NT_STATUS_NO_MEMORY); 805 806 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 807 return (smb_token_setup_wingrps(token)); 808 } 809 810 /* 811 * smb_token_user_sid 812 * 813 * Return a pointer to the user SID in the specified token. A null 814 * pointer indicates an error. 815 */ 816 static smb_sid_t * 817 smb_token_user_sid(smb_token_t *token) 818 { 819 return ((token) ? token->tkn_user.i_sid : NULL); 820 } 821 822 /* 823 * smb_token_group_sid 824 * 825 * Return a pointer to the group SID as indicated by the iterator. 826 * Setting the iterator to 0 before calling this function will return 827 * the first group, which will always be the primary group. The 828 * iterator will be incremented before returning the SID so that this 829 * function can be used to cycle through the groups. The caller can 830 * adjust the iterator as required between calls to obtain any specific 831 * group. 832 * 833 * On success a pointer to the appropriate group SID will be returned. 834 * Otherwise a null pointer will be returned. 835 */ 836 static smb_sid_t * 837 smb_token_group_sid(smb_token_t *token, int *iterator) 838 { 839 int index; 840 841 if (token == NULL || iterator == NULL) 842 return (NULL); 843 844 if (token->tkn_win_grps.i_ids == NULL) 845 return (NULL); 846 847 index = *iterator; 848 849 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 850 return (NULL); 851 852 ++(*iterator); 853 return (token->tkn_win_grps.i_ids[index].i_sid); 854 } 855 856 /* 857 * smb_token_is_member 858 * 859 * This function will determine whether or not the specified SID is a 860 * member of a token. The user SID and all group SIDs are tested. 861 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 862 */ 863 static boolean_t 864 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 865 { 866 smb_sid_t *tsid; 867 int iterator = 0; 868 869 if (token == NULL || sid == NULL) 870 return (B_FALSE); 871 872 tsid = smb_token_user_sid(token); 873 while (tsid) { 874 if (smb_sid_cmp(tsid, sid)) 875 return (B_TRUE); 876 877 tsid = smb_token_group_sid(token, &iterator); 878 } 879 880 return (B_FALSE); 881 } 882 883 /* 884 * smb_token_log 885 * 886 * Diagnostic routine to write the contents of a token to the log. 887 */ 888 void 889 smb_token_log(smb_token_t *token) 890 { 891 smb_ids_t *w_grps; 892 smb_id_t *grp; 893 smb_posix_grps_t *x_grps; 894 char sidstr[SMB_SID_STRSZ]; 895 int i; 896 897 if (token == NULL) 898 return; 899 900 syslog(LOG_DEBUG, "Token for %s\\%s", 901 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 902 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 903 904 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 905 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 906 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 907 token->tkn_user.i_id); 908 909 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 910 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 911 sidstr, token->tkn_owner.i_id); 912 913 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 914 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 915 sidstr, token->tkn_primary_grp.i_id); 916 917 w_grps = &token->tkn_win_grps; 918 if (w_grps->i_ids) { 919 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 920 grp = w_grps->i_ids; 921 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 922 syslog(LOG_DEBUG, 923 " Grp[%d].Attr:%d", i, grp->i_attrs); 924 if (grp->i_sid != NULL) { 925 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 926 syslog(LOG_DEBUG, 927 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 928 grp->i_id); 929 } 930 } 931 } else { 932 syslog(LOG_DEBUG, " No Windows groups"); 933 } 934 935 x_grps = token->tkn_posix_grps; 936 if (x_grps) { 937 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 938 for (i = 0; i < x_grps->pg_ngrps; i++) 939 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 940 } else { 941 syslog(LOG_DEBUG, " No Solaris groups"); 942 } 943 944 if (token->tkn_privileges) 945 smb_privset_log(token->tkn_privileges); 946 else 947 syslog(LOG_DEBUG, " No privileges"); 948 } 949 950 /* 951 * Sets up local and well-known group membership for the given 952 * token. Two assumptions have been made here: 953 * 954 * a) token already contains a valid user SID so that group 955 * memberships can be established 956 * 957 * b) token belongs to a local or anonymous user 958 */ 959 static uint32_t 960 smb_token_setup_wingrps(smb_token_t *token) 961 { 962 smb_ids_t tkn_grps; 963 uint32_t status; 964 965 966 /* 967 * We always want the user's primary group in the list 968 * of groups. 969 */ 970 tkn_grps.i_cnt = 1; 971 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 972 return (NT_STATUS_NO_MEMORY); 973 974 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 975 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 976 if (tkn_grps.i_ids->i_sid == NULL) { 977 smb_ids_free(&tkn_grps); 978 return (NT_STATUS_NO_MEMORY); 979 } 980 981 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 982 if (status != NT_STATUS_SUCCESS) { 983 smb_ids_free(&tkn_grps); 984 return (status); 985 } 986 987 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps); 988 if (status != NT_STATUS_SUCCESS) { 989 smb_ids_free(&tkn_grps); 990 return (status); 991 } 992 993 token->tkn_win_grps = tkn_grps; 994 return (status); 995 } 996 997 /* 998 * Returns the guest account name in the provided buffer. 999 * 1000 * By default the name would be "guest" unless there's 1001 * a idmap name-based rule which maps the guest to a local 1002 * Solaris user in which case the name of that user is 1003 * returned. 1004 */ 1005 static void 1006 smb_guest_account(char *guest, size_t buflen) 1007 { 1008 idmap_stat stat; 1009 uid_t guest_uid; 1010 struct passwd pw; 1011 char pwbuf[1024]; 1012 int idtype; 1013 1014 /* default Guest account name */ 1015 (void) rw_rdlock(&smb_logoninit_rwl); 1016 (void) strlcpy(guest, smb_guest.a_name, buflen); 1017 1018 idtype = SMB_IDMAP_USER; 1019 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype); 1020 (void) rw_unlock(&smb_logoninit_rwl); 1021 1022 if (stat != IDMAP_SUCCESS) 1023 return; 1024 1025 /* If Ephemeral ID return the default name */ 1026 if (IDMAP_ID_IS_EPHEMERAL(guest_uid)) 1027 return; 1028 1029 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 1030 return; 1031 1032 (void) strlcpy(guest, pw.pw_name, buflen); 1033 } 1034