1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #include <unistd.h> 26 #include <strings.h> 27 #include <pwd.h> 28 #include <grp.h> 29 #include <time.h> 30 #include <syslog.h> 31 #include <assert.h> 32 #include <synch.h> 33 34 #include <smbsrv/libsmb.h> 35 #include <smbsrv/libmlsvc.h> 36 37 #include <smbsrv/smbinfo.h> 38 #include <smbsrv/smb_token.h> 39 #include <lsalib.h> 40 41 static smb_account_t smb_guest; 42 static smb_account_t smb_domusers; 43 static rwlock_t smb_logoninit_rwl; 44 45 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *); 46 47 extern void smb_logon_domain(smb_logon_t *, smb_token_t *); 48 static void smb_logon_local(smb_logon_t *, smb_token_t *); 49 static void smb_logon_guest(smb_logon_t *, smb_token_t *); 50 static void smb_logon_anon(smb_logon_t *, smb_token_t *); 51 52 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *, 53 smb_passwd_t *); 54 55 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 56 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *); 57 static uint32_t smb_token_setup_anon(smb_token_t *token); 58 59 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 60 static uint32_t smb_token_setup_wingrps(smb_token_t *); 61 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 62 63 static void smb_guest_account(char *, size_t); 64 65 /* Consolidation private function from Network Repository */ 66 extern int _getgroupsbymember(const char *, gid_t[], int, int); 67 68 static idmap_stat 69 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 70 { 71 idmap_stat stat; 72 smb_idmap_t *sim; 73 smb_id_t *id; 74 int i; 75 76 if (!token || !sib) 77 return (IDMAP_ERR_ARG); 78 79 sim = sib->sib_maps; 80 81 if (token->tkn_flags & SMB_ATF_ANON) { 82 token->tkn_user.i_id = UID_NOBODY; 83 token->tkn_owner.i_id = UID_NOBODY; 84 } else { 85 /* User SID */ 86 id = &token->tkn_user; 87 sim->sim_id = &id->i_id; 88 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 89 id->i_sid, SMB_IDMAP_USER); 90 91 if (stat != IDMAP_SUCCESS) 92 return (stat); 93 94 /* Owner SID */ 95 id = &token->tkn_owner; 96 sim->sim_id = &id->i_id; 97 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 98 id->i_sid, SMB_IDMAP_USER); 99 100 if (stat != IDMAP_SUCCESS) 101 return (stat); 102 } 103 104 /* Primary Group SID */ 105 id = &token->tkn_primary_grp; 106 sim->sim_id = &id->i_id; 107 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 108 SMB_IDMAP_GROUP); 109 110 if (stat != IDMAP_SUCCESS) 111 return (stat); 112 113 /* Other Windows Group SIDs */ 114 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 115 id = &token->tkn_win_grps.i_ids[i]; 116 sim->sim_id = &id->i_id; 117 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 118 id->i_sid, SMB_IDMAP_GROUP); 119 120 if (stat != IDMAP_SUCCESS) 121 break; 122 } 123 124 return (stat); 125 } 126 127 /* 128 * smb_token_sids2ids 129 * 130 * This will map all the SIDs of the access token to UIDs/GIDs. 131 * 132 * Returns 0 upon success. Otherwise, returns -1. 133 */ 134 static int 135 smb_token_sids2ids(smb_token_t *token) 136 { 137 idmap_stat stat; 138 int nmaps; 139 smb_idmap_batch_t sib; 140 141 /* 142 * Number of idmap lookups: user SID, owner SID, primary group SID, 143 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 144 */ 145 if (token->tkn_flags & SMB_ATF_ANON) 146 nmaps = token->tkn_win_grps.i_cnt + 1; 147 else 148 nmaps = token->tkn_win_grps.i_cnt + 3; 149 150 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID); 151 if (stat != IDMAP_SUCCESS) 152 return (-1); 153 154 stat = smb_token_idmap(token, &sib); 155 if (stat != IDMAP_SUCCESS) { 156 smb_idmap_batch_destroy(&sib); 157 return (-1); 158 } 159 160 stat = smb_idmap_batch_getmappings(&sib); 161 smb_idmap_batch_destroy(&sib); 162 smb_idmap_check("smb_idmap_batch_getmappings", stat); 163 164 return (stat == IDMAP_SUCCESS ? 0 : -1); 165 } 166 167 /* 168 * smb_token_create_pxgrps 169 * 170 * Setup the POSIX group membership of the access token if the given UID is 171 * a POSIX UID (non-ephemeral). Both the user's primary group and 172 * supplementary groups will be added to the POSIX group array of the access 173 * token. 174 */ 175 static smb_posix_grps_t * 176 smb_token_create_pxgrps(uid_t uid) 177 { 178 struct passwd *pwd; 179 smb_posix_grps_t *pgrps; 180 int ngroups_max, num; 181 gid_t *gids; 182 183 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 184 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 185 return (NULL); 186 } 187 188 pwd = getpwuid(uid); 189 if (pwd == NULL) { 190 pgrps = malloc(sizeof (smb_posix_grps_t)); 191 if (pgrps == NULL) 192 return (NULL); 193 194 pgrps->pg_ngrps = 0; 195 return (pgrps); 196 } 197 198 if (pwd->pw_name == NULL) { 199 pgrps = malloc(sizeof (smb_posix_grps_t)); 200 if (pgrps == NULL) 201 return (NULL); 202 203 pgrps->pg_ngrps = 1; 204 pgrps->pg_grps[0] = pwd->pw_gid; 205 return (pgrps); 206 } 207 208 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 209 if (gids == NULL) { 210 return (NULL); 211 } 212 bzero(gids, ngroups_max * sizeof (gid_t)); 213 214 gids[0] = pwd->pw_gid; 215 216 /* 217 * Setup the groups starting at index 1 (the last arg) 218 * of gids array. 219 */ 220 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 221 222 if (num == -1) { 223 syslog(LOG_ERR, "smb_logon: unable " 224 "to get user's supplementary groups"); 225 num = 1; 226 } 227 228 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 229 if (pgrps) { 230 pgrps->pg_ngrps = num; 231 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 232 } 233 234 free(gids); 235 return (pgrps); 236 } 237 238 /* 239 * smb_token_destroy 240 * 241 * Release all of the memory associated with a token structure. Ensure 242 * that the token has been unlinked before calling. 243 */ 244 void 245 smb_token_destroy(smb_token_t *token) 246 { 247 if (token != NULL) { 248 smb_sid_free(token->tkn_user.i_sid); 249 smb_sid_free(token->tkn_owner.i_sid); 250 smb_sid_free(token->tkn_primary_grp.i_sid); 251 smb_ids_free(&token->tkn_win_grps); 252 smb_privset_free(token->tkn_privileges); 253 free(token->tkn_posix_grps); 254 free(token->tkn_account_name); 255 free(token->tkn_domain_name); 256 free(token->tkn_session_key); 257 bzero(token, sizeof (smb_token_t)); 258 free(token); 259 } 260 } 261 262 /* 263 * Token owner should be set to local Administrators group 264 * in two cases: 265 * 1. The logged on user is a member of Domain Admins group 266 * 2. he/she is a member of local Administrators group 267 */ 268 static void 269 smb_token_set_owner(smb_token_t *token) 270 { 271 #ifdef SMB_SUPPORT_GROUP_OWNER 272 smb_sid_t *owner_sid; 273 274 if (token->tkn_flags & SMB_ATF_ADMIN) { 275 owner_sid = smb_wka_get_sid("Administrators"); 276 assert(owner_sid); 277 } else { 278 owner_sid = token->tkn_user->i_sid; 279 } 280 281 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 282 #endif 283 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 284 } 285 286 static smb_privset_t * 287 smb_token_create_privs(smb_token_t *token) 288 { 289 smb_privset_t *privs; 290 smb_giter_t gi; 291 smb_group_t grp; 292 int rc; 293 294 privs = smb_privset_new(); 295 if (privs == NULL) 296 return (NULL); 297 298 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 299 smb_privset_free(privs); 300 return (NULL); 301 } 302 303 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 304 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 305 smb_privset_merge(privs, grp.sg_privs); 306 smb_lgrp_free(&grp); 307 } 308 smb_lgrp_iterclose(&gi); 309 310 if (token->tkn_flags & SMB_ATF_ADMIN) { 311 char admgrp[] = "Administrators"; 312 313 rc = smb_lgrp_getbyname(admgrp, &grp); 314 if (rc == SMB_LGRP_SUCCESS) { 315 smb_privset_merge(privs, grp.sg_privs); 316 smb_lgrp_free(&grp); 317 } 318 319 /* 320 * This privilege is required to view/edit SACL 321 */ 322 smb_privset_enable(privs, SE_SECURITY_LUID); 323 } 324 325 return (privs); 326 } 327 328 static void 329 smb_token_set_flags(smb_token_t *token) 330 { 331 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 332 token->tkn_flags |= SMB_ATF_ADMIN; 333 334 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 335 token->tkn_flags |= SMB_ATF_POWERUSER; 336 337 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 338 token->tkn_flags |= SMB_ATF_BACKUPOP; 339 } 340 341 /* 342 * Common token setup for both local and domain users. 343 * This function must be called after the initial setup 344 * has been done. 345 * 346 * Note that the order of calls in this function are important. 347 */ 348 static boolean_t 349 smb_token_setup_common(smb_token_t *token) 350 { 351 smb_token_set_flags(token); 352 353 smb_token_set_owner(token); 354 if (token->tkn_owner.i_sid == NULL) 355 return (B_FALSE); 356 357 /* Privileges */ 358 token->tkn_privileges = smb_token_create_privs(token); 359 if (token->tkn_privileges == NULL) 360 return (B_FALSE); 361 362 if (smb_token_sids2ids(token) != 0) { 363 syslog(LOG_ERR, "%s\\%s: idmap failed", 364 token->tkn_domain_name, token->tkn_account_name); 365 return (B_FALSE); 366 } 367 368 /* Solaris Groups */ 369 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 370 371 return (smb_token_valid(token)); 372 } 373 374 uint32_t 375 smb_logon_init(void) 376 { 377 uint32_t status; 378 379 (void) rw_wrlock(&smb_logoninit_rwl); 380 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest); 381 if (status != NT_STATUS_SUCCESS) { 382 (void) rw_unlock(&smb_logoninit_rwl); 383 return (status); 384 } 385 386 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup, 387 &smb_domusers); 388 if (status != NT_STATUS_SUCCESS) { 389 smb_account_free(&smb_guest); 390 bzero(&smb_guest, sizeof (smb_account_t)); 391 (void) rw_unlock(&smb_logoninit_rwl); 392 return (status); 393 } 394 395 (void) rw_unlock(&smb_logoninit_rwl); 396 return (status); 397 } 398 399 void 400 smb_logon_fini(void) 401 { 402 (void) rw_wrlock(&smb_logoninit_rwl); 403 smb_account_free(&smb_guest); 404 smb_account_free(&smb_domusers); 405 bzero(&smb_guest, sizeof (smb_account_t)); 406 bzero(&smb_domusers, sizeof (smb_account_t)); 407 (void) rw_unlock(&smb_logoninit_rwl); 408 } 409 410 /* 411 * Perform user authentication. 412 * 413 * The dispatched functions must only update the user_info status if they 414 * attempt to authenticate the user. 415 * 416 * On success, a pointer to a new access token is returned. 417 */ 418 smb_token_t * 419 smb_logon(smb_logon_t *user_info) 420 { 421 static smb_logonop_t ops[] = { 422 smb_logon_anon, 423 smb_logon_local, 424 smb_logon_domain, 425 smb_logon_guest 426 }; 427 smb_token_t *token = NULL; 428 smb_domain_t domain; 429 int n_op = (sizeof (ops) / sizeof (ops[0])); 430 int i; 431 432 user_info->lg_secmode = smb_config_get_secmode(); 433 user_info->lg_status = NT_STATUS_NO_SUCH_USER; 434 435 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain)) 436 user_info->lg_domain_type = domain.di_type; 437 else 438 user_info->lg_domain_type = SMB_DOMAIN_NULL; 439 440 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) { 441 syslog(LOG_ERR, "logon[%s\\%s]: %m", 442 user_info->lg_e_domain, user_info->lg_e_username); 443 return (NULL); 444 } 445 446 for (i = 0; i < n_op; ++i) { 447 (*ops[i])(user_info, token); 448 449 if (user_info->lg_status == NT_STATUS_SUCCESS) 450 break; 451 } 452 453 if (user_info->lg_status == NT_STATUS_SUCCESS) { 454 if (smb_token_setup_common(token)) 455 return (token); 456 } 457 458 smb_token_destroy(token); 459 return (NULL); 460 } 461 462 /* 463 * If the user has an entry in the local database, attempt local authentication. 464 * 465 * In domain mode, we try to exclude domain accounts, which we do by only 466 * accepting local or null (blank) domain names here. Some clients (Mac OS) 467 * don't always send the domain name. 468 * 469 * If we are not going to attempt authentication, this function must return 470 * without updating the status. 471 */ 472 static void 473 smb_logon_local(smb_logon_t *user_info, smb_token_t *token) 474 { 475 char guest[SMB_USERNAME_MAXLEN]; 476 smb_passwd_t smbpw; 477 uint32_t status; 478 boolean_t isguest; 479 480 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) { 481 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) && 482 (user_info->lg_domain_type != SMB_DOMAIN_NULL)) 483 return; 484 } 485 486 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 487 isguest = (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0); 488 489 status = smb_token_auth_local(user_info, token, &smbpw); 490 if (status == NT_STATUS_SUCCESS) { 491 if (isguest) 492 status = smb_token_setup_guest(user_info, token); 493 else 494 status = smb_token_setup_local(&smbpw, token); 495 } 496 497 user_info->lg_status = status; 498 } 499 500 /* 501 * Guest authentication. This may be a local guest account or the guest 502 * account may be mapped to a local account. These accounts are regular 503 * accounts with normal password protection. 504 * 505 * Only proceed with a guest logon if previous logon options have resulted 506 * in NO_SUCH_USER. 507 * 508 * If we are not going to attempt authentication, this function must return 509 * without updating the status. 510 */ 511 static void 512 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token) 513 { 514 char guest[SMB_USERNAME_MAXLEN]; 515 smb_passwd_t smbpw; 516 char *temp; 517 uint32_t status; 518 519 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER) 520 return; 521 522 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 523 temp = user_info->lg_e_username; 524 user_info->lg_e_username = guest; 525 526 status = smb_token_auth_local(user_info, token, &smbpw); 527 if ((status == NT_STATUS_SUCCESS) || 528 (status == NT_STATUS_NO_SUCH_USER)) { 529 status = smb_token_setup_guest(user_info, token); 530 } 531 532 user_info->lg_e_username = temp; 533 user_info->lg_status = status; 534 } 535 536 /* 537 * If user_info represents an anonymous user then setup the token. 538 * Otherwise return without updating the status. 539 */ 540 static void 541 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token) 542 { 543 if (user_info->lg_flags & SMB_ATF_ANON) 544 user_info->lg_status = smb_token_setup_anon(token); 545 } 546 547 /* 548 * Try both LM hash and NT hashes with user's password(s) to authenticate 549 * the user. 550 */ 551 static uint32_t 552 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token, 553 smb_passwd_t *smbpw) 554 { 555 boolean_t lm_ok, nt_ok; 556 uint32_t status = NT_STATUS_SUCCESS; 557 558 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL) 559 return (NT_STATUS_NO_SUCH_USER); 560 561 if (smbpw->pw_flags & SMB_PWF_DISABLE) 562 return (NT_STATUS_ACCOUNT_DISABLED); 563 564 nt_ok = lm_ok = B_FALSE; 565 if ((smbpw->pw_flags & SMB_PWF_LM) && 566 (user_info->lg_lm_password.len != 0)) { 567 lm_ok = smb_auth_validate_lm( 568 user_info->lg_challenge_key.val, 569 user_info->lg_challenge_key.len, 570 smbpw, 571 user_info->lg_lm_password.val, 572 user_info->lg_lm_password.len, 573 user_info->lg_domain, 574 user_info->lg_username); 575 token->tkn_session_key = NULL; 576 } 577 578 if (!lm_ok && (user_info->lg_nt_password.len != 0)) { 579 token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ); 580 if (token->tkn_session_key == NULL) 581 return (NT_STATUS_NO_MEMORY); 582 nt_ok = smb_auth_validate_nt( 583 user_info->lg_challenge_key.val, 584 user_info->lg_challenge_key.len, 585 smbpw, 586 user_info->lg_nt_password.val, 587 user_info->lg_nt_password.len, 588 user_info->lg_domain, 589 user_info->lg_username, 590 (uchar_t *)token->tkn_session_key); 591 } 592 593 if (!nt_ok && !lm_ok) { 594 status = NT_STATUS_WRONG_PASSWORD; 595 syslog(LOG_NOTICE, "logon[%s\\%s]: %s", 596 user_info->lg_e_domain, user_info->lg_e_username, 597 xlate_nt_status(status)); 598 } 599 600 return (status); 601 } 602 603 /* 604 * Setup an access token for the specified local user. 605 */ 606 static uint32_t 607 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 608 { 609 idmap_stat stat; 610 smb_idmap_batch_t sib; 611 smb_idmap_t *umap, *gmap; 612 struct passwd pw; 613 char pwbuf[1024]; 614 char nbname[NETBIOS_NAME_SZ]; 615 616 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 617 token->tkn_account_name = strdup(smbpw->pw_name); 618 token->tkn_domain_name = strdup(nbname); 619 620 if (token->tkn_account_name == NULL || 621 token->tkn_domain_name == NULL) 622 return (NT_STATUS_NO_MEMORY); 623 624 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 625 return (NT_STATUS_NO_SUCH_USER); 626 627 /* Get the SID for user's uid & gid */ 628 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 629 if (stat != IDMAP_SUCCESS) 630 return (NT_STATUS_INTERNAL_ERROR); 631 632 umap = &sib.sib_maps[0]; 633 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 634 SMB_IDMAP_USER); 635 636 if (stat != IDMAP_SUCCESS) { 637 smb_idmap_batch_destroy(&sib); 638 return (NT_STATUS_INTERNAL_ERROR); 639 } 640 641 gmap = &sib.sib_maps[1]; 642 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 643 SMB_IDMAP_GROUP); 644 645 if (stat != IDMAP_SUCCESS) { 646 smb_idmap_batch_destroy(&sib); 647 return (NT_STATUS_INTERNAL_ERROR); 648 } 649 650 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS) 651 return (NT_STATUS_INTERNAL_ERROR); 652 653 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 654 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 655 656 smb_idmap_batch_destroy(&sib); 657 658 if (token->tkn_user.i_sid == NULL || 659 token->tkn_primary_grp.i_sid == NULL) 660 return (NT_STATUS_NO_MEMORY); 661 662 return (smb_token_setup_wingrps(token)); 663 } 664 665 /* 666 * Setup access token for guest connections 667 */ 668 static uint32_t 669 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token) 670 { 671 token->tkn_account_name = strdup(user_info->lg_e_username); 672 673 (void) rw_rdlock(&smb_logoninit_rwl); 674 token->tkn_domain_name = strdup(smb_guest.a_domain); 675 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid); 676 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid); 677 (void) rw_unlock(&smb_logoninit_rwl); 678 token->tkn_flags = SMB_ATF_GUEST; 679 680 if (token->tkn_account_name == NULL || 681 token->tkn_domain_name == NULL || 682 token->tkn_user.i_sid == NULL || 683 token->tkn_primary_grp.i_sid == NULL) 684 return (NT_STATUS_NO_MEMORY); 685 686 return (smb_token_setup_wingrps(token)); 687 } 688 689 /* 690 * Setup access token for anonymous connections 691 */ 692 static uint32_t 693 smb_token_setup_anon(smb_token_t *token) 694 { 695 smb_sid_t *user_sid; 696 697 token->tkn_account_name = strdup("Anonymous"); 698 token->tkn_domain_name = strdup("NT Authority"); 699 user_sid = smb_wka_get_sid("Anonymous"); 700 token->tkn_user.i_sid = smb_sid_dup(user_sid); 701 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 702 token->tkn_flags = SMB_ATF_ANON; 703 704 if (token->tkn_account_name == NULL || 705 token->tkn_domain_name == NULL || 706 token->tkn_user.i_sid == NULL || 707 token->tkn_primary_grp.i_sid == NULL) 708 return (NT_STATUS_NO_MEMORY); 709 710 return (smb_token_setup_wingrps(token)); 711 } 712 713 /* 714 * smb_token_user_sid 715 * 716 * Return a pointer to the user SID in the specified token. A null 717 * pointer indicates an error. 718 */ 719 static smb_sid_t * 720 smb_token_user_sid(smb_token_t *token) 721 { 722 return ((token) ? token->tkn_user.i_sid : NULL); 723 } 724 725 /* 726 * smb_token_group_sid 727 * 728 * Return a pointer to the group SID as indicated by the iterator. 729 * Setting the iterator to 0 before calling this function will return 730 * the first group, which will always be the primary group. The 731 * iterator will be incremented before returning the SID so that this 732 * function can be used to cycle through the groups. The caller can 733 * adjust the iterator as required between calls to obtain any specific 734 * group. 735 * 736 * On success a pointer to the appropriate group SID will be returned. 737 * Otherwise a null pointer will be returned. 738 */ 739 static smb_sid_t * 740 smb_token_group_sid(smb_token_t *token, int *iterator) 741 { 742 int index; 743 744 if (token == NULL || iterator == NULL) 745 return (NULL); 746 747 if (token->tkn_win_grps.i_ids == NULL) 748 return (NULL); 749 750 index = *iterator; 751 752 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 753 return (NULL); 754 755 ++(*iterator); 756 return (token->tkn_win_grps.i_ids[index].i_sid); 757 } 758 759 /* 760 * smb_token_is_member 761 * 762 * This function will determine whether or not the specified SID is a 763 * member of a token. The user SID and all group SIDs are tested. 764 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 765 */ 766 static boolean_t 767 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 768 { 769 smb_sid_t *tsid; 770 int iterator = 0; 771 772 if (token == NULL || sid == NULL) 773 return (B_FALSE); 774 775 tsid = smb_token_user_sid(token); 776 while (tsid) { 777 if (smb_sid_cmp(tsid, sid)) 778 return (B_TRUE); 779 780 tsid = smb_token_group_sid(token, &iterator); 781 } 782 783 return (B_FALSE); 784 } 785 786 /* 787 * smb_token_log 788 * 789 * Diagnostic routine to write the contents of a token to the log. 790 */ 791 void 792 smb_token_log(smb_token_t *token) 793 { 794 smb_ids_t *w_grps; 795 smb_id_t *grp; 796 smb_posix_grps_t *x_grps; 797 char sidstr[SMB_SID_STRSZ]; 798 int i; 799 800 if (token == NULL) 801 return; 802 803 syslog(LOG_DEBUG, "Token for %s\\%s", 804 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 805 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 806 807 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 808 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 809 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 810 token->tkn_user.i_id); 811 812 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 813 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 814 sidstr, token->tkn_owner.i_id); 815 816 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 817 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 818 sidstr, token->tkn_primary_grp.i_id); 819 820 w_grps = &token->tkn_win_grps; 821 if (w_grps->i_ids) { 822 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 823 grp = w_grps->i_ids; 824 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 825 syslog(LOG_DEBUG, 826 " Grp[%d].Attr:%d", i, grp->i_attrs); 827 if (grp->i_sid != NULL) { 828 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 829 syslog(LOG_DEBUG, 830 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 831 grp->i_id); 832 } 833 } 834 } else { 835 syslog(LOG_DEBUG, " No Windows groups"); 836 } 837 838 x_grps = token->tkn_posix_grps; 839 if (x_grps) { 840 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 841 for (i = 0; i < x_grps->pg_ngrps; i++) 842 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 843 } else { 844 syslog(LOG_DEBUG, " No Solaris groups"); 845 } 846 847 if (token->tkn_privileges) 848 smb_privset_log(token->tkn_privileges); 849 else 850 syslog(LOG_DEBUG, " No privileges"); 851 } 852 853 /* 854 * Sets up local and well-known group membership for the given 855 * token. Two assumptions have been made here: 856 * 857 * a) token already contains a valid user SID so that group 858 * memberships can be established 859 * 860 * b) token belongs to a local or anonymous user 861 */ 862 static uint32_t 863 smb_token_setup_wingrps(smb_token_t *token) 864 { 865 smb_ids_t tkn_grps; 866 uint32_t status; 867 868 869 /* 870 * We always want the user's primary group in the list 871 * of groups. 872 */ 873 tkn_grps.i_cnt = 1; 874 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 875 return (NT_STATUS_NO_MEMORY); 876 877 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 878 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 879 if (tkn_grps.i_ids->i_sid == NULL) { 880 smb_ids_free(&tkn_grps); 881 return (NT_STATUS_NO_MEMORY); 882 } 883 884 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 885 if (status != NT_STATUS_SUCCESS) { 886 smb_ids_free(&tkn_grps); 887 return (status); 888 } 889 890 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps); 891 if (status != NT_STATUS_SUCCESS) { 892 smb_ids_free(&tkn_grps); 893 return (status); 894 } 895 896 token->tkn_win_grps = tkn_grps; 897 return (status); 898 } 899 900 /* 901 * Returns the guest account name in the provided buffer. 902 * 903 * By default the name would be "guest" unless there's 904 * a idmap name-based rule which maps the guest to a local 905 * Solaris user in which case the name of that user is 906 * returned. 907 */ 908 static void 909 smb_guest_account(char *guest, size_t buflen) 910 { 911 idmap_stat stat; 912 uid_t guest_uid; 913 struct passwd pw; 914 char pwbuf[1024]; 915 int idtype; 916 917 /* default Guest account name */ 918 (void) rw_rdlock(&smb_logoninit_rwl); 919 (void) strlcpy(guest, smb_guest.a_name, buflen); 920 921 idtype = SMB_IDMAP_USER; 922 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype); 923 (void) rw_unlock(&smb_logoninit_rwl); 924 925 if (stat != IDMAP_SUCCESS) 926 return; 927 928 /* If Ephemeral ID return the default name */ 929 if (IDMAP_ID_IS_EPHEMERAL(guest_uid)) 930 return; 931 932 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 933 return; 934 935 (void) strlcpy(guest, pw.pw_name, buflen); 936 } 937