xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c (revision b31b5de1357c915fe7dab4d9646d9d84f9fe69bc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Security database interface.
28  */
29 #include <unistd.h>
30 #include <strings.h>
31 #include <pwd.h>
32 #include <grp.h>
33 #include <time.h>
34 #include <syslog.h>
35 #include <assert.h>
36 
37 #include <smbsrv/libsmb.h>
38 #include <smbsrv/libmlsvc.h>
39 
40 #include <smbsrv/smbinfo.h>
41 #include <smbsrv/smb_token.h>
42 #include <lsalib.h>
43 
44 extern uint32_t netlogon_logon(netr_client_t *, smb_token_t *);
45 static uint32_t smb_logon_domain(netr_client_t *, smb_token_t *);
46 static uint32_t smb_logon_local(netr_client_t *, smb_token_t *);
47 static uint32_t smb_logon_anon(netr_client_t *, smb_token_t *);
48 
49 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
50 static uint32_t smb_token_setup_anon(smb_token_t *token);
51 
52 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
53 static uint32_t smb_token_setup_wingrps(smb_token_t *);
54 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
55 
56 /* Consolidation private function from Network Repository */
57 extern int _getgroupsbymember(const char *, gid_t[], int, int);
58 
59 static idmap_stat
60 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
61 {
62 	idmap_stat stat;
63 	smb_idmap_t *sim;
64 	smb_id_t *id;
65 	int i;
66 
67 	if (!token || !sib)
68 		return (IDMAP_ERR_ARG);
69 
70 	sim = sib->sib_maps;
71 
72 	if (token->tkn_flags & SMB_ATF_ANON) {
73 		token->tkn_user.i_id = UID_NOBODY;
74 		token->tkn_owner.i_id = UID_NOBODY;
75 	} else {
76 		/* User SID */
77 		id = &token->tkn_user;
78 		sim->sim_id = &id->i_id;
79 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
80 		    id->i_sid, SMB_IDMAP_USER);
81 
82 		if (stat != IDMAP_SUCCESS)
83 			return (stat);
84 
85 		/* Owner SID */
86 		id = &token->tkn_owner;
87 		sim->sim_id = &id->i_id;
88 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
89 		    id->i_sid, SMB_IDMAP_USER);
90 
91 		if (stat != IDMAP_SUCCESS)
92 			return (stat);
93 	}
94 
95 	/* Primary Group SID */
96 	id = &token->tkn_primary_grp;
97 	sim->sim_id = &id->i_id;
98 	stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
99 	    SMB_IDMAP_GROUP);
100 
101 	if (stat != IDMAP_SUCCESS)
102 		return (stat);
103 
104 	/* Other Windows Group SIDs */
105 	for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
106 		id = &token->tkn_win_grps.i_ids[i];
107 		sim->sim_id = &id->i_id;
108 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
109 		    id->i_sid, SMB_IDMAP_GROUP);
110 
111 		if (stat != IDMAP_SUCCESS)
112 			break;
113 	}
114 
115 	return (stat);
116 }
117 
118 /*
119  * smb_token_sids2ids
120  *
121  * This will map all the SIDs of the access token to UIDs/GIDs.
122  *
123  * Returns 0 upon success.  Otherwise, returns -1.
124  */
125 static int
126 smb_token_sids2ids(smb_token_t *token)
127 {
128 	idmap_stat stat;
129 	int nmaps, retries = 0;
130 	smb_idmap_batch_t sib;
131 
132 	/*
133 	 * Number of idmap lookups: user SID, owner SID, primary group SID,
134 	 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
135 	 */
136 	if (token->tkn_flags & SMB_ATF_ANON)
137 		nmaps = token->tkn_win_grps.i_cnt + 1;
138 	else
139 		nmaps = token->tkn_win_grps.i_cnt + 3;
140 
141 	do {
142 		stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
143 		if (stat != IDMAP_SUCCESS)
144 			return (-1);
145 
146 		stat = smb_token_idmap(token, &sib);
147 		if (stat != IDMAP_SUCCESS) {
148 			smb_idmap_batch_destroy(&sib);
149 			return (-1);
150 		}
151 
152 		stat = smb_idmap_batch_getmappings(&sib);
153 		smb_idmap_batch_destroy(&sib);
154 		if (stat == IDMAP_ERR_RPC_HANDLE)
155 			if (smb_idmap_restart() < 0)
156 				break;
157 	} while (stat == IDMAP_ERR_RPC_HANDLE && retries++ < 3);
158 
159 	return (stat == IDMAP_SUCCESS ? 0 : -1);
160 }
161 
162 /*
163  * smb_token_create_pxgrps
164  *
165  * Setup the POSIX group membership of the access token if the given UID is
166  * a POSIX UID (non-ephemeral). Both the user's primary group and
167  * supplementary groups will be added to the POSIX group array of the access
168  * token.
169  */
170 static smb_posix_grps_t *
171 smb_token_create_pxgrps(uid_t uid)
172 {
173 	struct passwd *pwd;
174 	smb_posix_grps_t *pgrps;
175 	int ngroups_max, num;
176 	gid_t *gids;
177 
178 	if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
179 		syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
180 		return (NULL);
181 	}
182 
183 	pwd = getpwuid(uid);
184 	if (pwd == NULL) {
185 		pgrps = malloc(sizeof (smb_posix_grps_t));
186 		if (pgrps == NULL)
187 			return (NULL);
188 
189 		pgrps->pg_ngrps = 0;
190 		return (pgrps);
191 	}
192 
193 	if (pwd->pw_name == NULL) {
194 		pgrps = malloc(sizeof (smb_posix_grps_t));
195 		if (pgrps == NULL)
196 			return (NULL);
197 
198 		pgrps->pg_ngrps = 1;
199 		pgrps->pg_grps[0] = pwd->pw_gid;
200 		return (pgrps);
201 	}
202 
203 	gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
204 	if (gids == NULL) {
205 		return (NULL);
206 	}
207 	bzero(gids, ngroups_max * sizeof (gid_t));
208 
209 	gids[0] = pwd->pw_gid;
210 
211 	/*
212 	 * Setup the groups starting at index 1 (the last arg)
213 	 * of gids array.
214 	 */
215 	num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
216 
217 	if (num == -1) {
218 		syslog(LOG_ERR, "smb_logon: unable "
219 		    "to get user's supplementary groups");
220 		num = 1;
221 	}
222 
223 	pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
224 	if (pgrps) {
225 		pgrps->pg_ngrps = num;
226 		bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
227 	}
228 
229 	free(gids);
230 	return (pgrps);
231 }
232 
233 /*
234  * smb_token_destroy
235  *
236  * Release all of the memory associated with a token structure. Ensure
237  * that the token has been unlinked before calling.
238  */
239 void
240 smb_token_destroy(smb_token_t *token)
241 {
242 	if (token != NULL) {
243 		smb_sid_free(token->tkn_user.i_sid);
244 		smb_sid_free(token->tkn_owner.i_sid);
245 		smb_sid_free(token->tkn_primary_grp.i_sid);
246 		smb_ids_free(&token->tkn_win_grps);
247 		smb_privset_free(token->tkn_privileges);
248 		free(token->tkn_posix_grps);
249 		free(token->tkn_account_name);
250 		free(token->tkn_domain_name);
251 		free(token->tkn_session_key);
252 		free(token);
253 	}
254 }
255 
256 /*
257  * Token owner should be set to local Administrators group
258  * in two cases:
259  *   1. The logged on user is a member of Domain Admins group
260  *   2. he/she is a member of local Administrators group
261  */
262 static void
263 smb_token_set_owner(smb_token_t *token)
264 {
265 #ifdef SMB_SUPPORT_GROUP_OWNER
266 	smb_sid_t *owner_sid;
267 
268 	if (token->tkn_flags & SMB_ATF_ADMIN) {
269 		owner_sid = smb_wka_get_sid("Administrators");
270 		assert(owner_sid);
271 	} else {
272 		owner_sid = token->tkn_user->i_sid;
273 	}
274 
275 	token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
276 #endif
277 	token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
278 }
279 
280 static smb_privset_t *
281 smb_token_create_privs(smb_token_t *token)
282 {
283 	smb_privset_t *privs;
284 	smb_giter_t gi;
285 	smb_group_t grp;
286 	int rc;
287 
288 	privs = smb_privset_new();
289 	if (privs == NULL)
290 		return (NULL);
291 
292 	if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
293 		smb_privset_free(privs);
294 		return (NULL);
295 	}
296 
297 	while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
298 		if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
299 			smb_privset_merge(privs, grp.sg_privs);
300 		smb_lgrp_free(&grp);
301 	}
302 	smb_lgrp_iterclose(&gi);
303 
304 	if (token->tkn_flags & SMB_ATF_ADMIN) {
305 		rc = smb_lgrp_getbyname("Administrators", &grp);
306 		if (rc == SMB_LGRP_SUCCESS) {
307 			smb_privset_merge(privs, grp.sg_privs);
308 			smb_lgrp_free(&grp);
309 		}
310 
311 		/*
312 		 * This privilege is required to view/edit SACL
313 		 */
314 		smb_privset_enable(privs, SE_SECURITY_LUID);
315 	}
316 
317 	return (privs);
318 }
319 
320 static void
321 smb_token_set_flags(smb_token_t *token)
322 {
323 	uint32_t rid;
324 
325 	(void) smb_sid_getrid(token->tkn_user.i_sid, &rid);
326 	if (rid == DOMAIN_USER_RID_GUEST) {
327 		token->tkn_flags |= SMB_ATF_GUEST;
328 		return;
329 	}
330 
331 	if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
332 		token->tkn_flags |= SMB_ATF_ADMIN;
333 
334 	if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
335 		token->tkn_flags |= SMB_ATF_POWERUSER;
336 
337 	if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
338 		token->tkn_flags |= SMB_ATF_BACKUPOP;
339 }
340 
341 /*
342  * Common token setup for both local and domain users.
343  * This function must be called after the initial setup
344  * has been done.
345  *
346  * Note that the order of calls in this function are important.
347  */
348 static uint32_t
349 smb_token_setup_common(smb_token_t *token)
350 {
351 	smb_token_set_flags(token);
352 
353 	smb_token_set_owner(token);
354 	if (token->tkn_owner.i_sid == NULL)
355 		return (NT_STATUS_NO_MEMORY);
356 
357 	/* Privileges */
358 	token->tkn_privileges = smb_token_create_privs(token);
359 	if (token->tkn_privileges == NULL)
360 		return (NT_STATUS_NO_MEMORY);
361 
362 	if (smb_token_sids2ids(token) != 0) {
363 		syslog(LOG_ERR, "%s\\%s: idmap failed",
364 		    token->tkn_domain_name, token->tkn_account_name);
365 		return (NT_STATUS_INTERNAL_ERROR);
366 	}
367 
368 	/* Solaris Groups */
369 	token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
370 
371 	return (NT_STATUS_SUCCESS);
372 }
373 
374 /*
375  * smb_logon
376  *
377  * Performs user authentication and creates a token if the
378  * authentication is successful.
379  *
380  * Returns pointer to the created token.
381  */
382 smb_token_t *
383 smb_logon(netr_client_t *clnt)
384 {
385 	smb_token_t *token = NULL;
386 	uint32_t status;
387 
388 	if ((token = malloc(sizeof (smb_token_t))) == NULL) {
389 		syslog(LOG_ERR, "smb_logon: resource shortage");
390 		return (NULL);
391 	}
392 	bzero(token, sizeof (smb_token_t));
393 
394 	status = smb_logon_anon(clnt, token);
395 	if (status == NT_STATUS_INVALID_LOGON_TYPE) {
396 		status = smb_logon_local(clnt, token);
397 		if (status != NT_STATUS_SUCCESS) {
398 			if ((status == NT_STATUS_INVALID_LOGON_TYPE) ||
399 			    (*clnt->real_domain == '\0'))
400 				status = smb_logon_domain(clnt, token);
401 		}
402 	}
403 
404 	if (status == NT_STATUS_SUCCESS) {
405 		if (smb_token_setup_common(token) == NT_STATUS_SUCCESS)
406 			return (token);
407 	}
408 
409 	smb_token_destroy(token);
410 	return (NULL);
411 }
412 
413 /*
414  * smb_logon_domain
415  *
416  * Performs pass through authentication with PDC.
417  */
418 static uint32_t
419 smb_logon_domain(netr_client_t *clnt, smb_token_t *token)
420 {
421 	uint32_t status;
422 
423 	if ((status = netlogon_logon(clnt, token)) != 0) {
424 		if (status == NT_STATUS_CANT_ACCESS_DOMAIN_INFO) {
425 			if ((status = netlogon_logon(clnt, token)) != 0) {
426 				syslog(LOG_INFO, "SmbLogon[%s\\%s]: %s",
427 				    clnt->real_domain, clnt->real_username,
428 				    xlate_nt_status(status));
429 				return (status);
430 			}
431 		}
432 	}
433 
434 	return (status);
435 }
436 
437 /*
438  * smb_logon_local
439  *
440  * Check to see if connected user has an entry in the local
441  * smbpasswd database. If it has, tries both LM hash and NT
442  * hash with user's password(s) to authenticate the user.
443  */
444 static uint32_t
445 smb_logon_local(netr_client_t *clnt, smb_token_t *token)
446 {
447 	smb_passwd_t smbpw;
448 	boolean_t lm_ok, nt_ok;
449 	uint32_t status;
450 	nt_domain_t *domain;
451 
452 	/* Make sure this is not a domain user */
453 	if (smb_config_get_secmode() == SMB_SECMODE_DOMAIN) {
454 		domain = nt_domain_lookup_name(clnt->real_domain);
455 		if (domain && (domain->type != NT_DOMAIN_LOCAL))
456 			return (NT_STATUS_INVALID_LOGON_TYPE);
457 	}
458 
459 	if (smb_pwd_getpwnam(clnt->real_username, &smbpw) == NULL) {
460 		/*
461 		 * If user doesn't have entry either in smbpasswd
462 		 * or passwd it's considered as an invalid user.
463 		 */
464 		status = NT_STATUS_NO_SUCH_USER;
465 		syslog(LOG_NOTICE, "SmbLogon[%s\\%s]: %s",
466 		    clnt->real_domain, clnt->real_username,
467 		    xlate_nt_status(status));
468 		return (status);
469 	}
470 	if (smbpw.pw_flags & SMB_PWF_DISABLE)
471 		return (NT_STATUS_ACCOUNT_DISABLED);
472 
473 	nt_ok = lm_ok = B_FALSE;
474 	if ((smbpw.pw_flags & SMB_PWF_LM) &&
475 	    (clnt->lm_password.lm_password_len != 0)) {
476 		lm_ok = smb_auth_validate_lm(
477 		    clnt->challenge_key.challenge_key_val,
478 		    clnt->challenge_key.challenge_key_len,
479 		    &smbpw,
480 		    clnt->lm_password.lm_password_val,
481 		    clnt->lm_password.lm_password_len,
482 		    clnt->domain,
483 		    clnt->username);
484 		token->tkn_session_key = NULL;
485 	}
486 
487 	if (!lm_ok && (clnt->nt_password.nt_password_len != 0)) {
488 		token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ);
489 		if (token->tkn_session_key == NULL)
490 			return (NT_STATUS_NO_MEMORY);
491 		nt_ok = smb_auth_validate_nt(
492 		    clnt->challenge_key.challenge_key_val,
493 		    clnt->challenge_key.challenge_key_len,
494 		    &smbpw,
495 		    clnt->nt_password.nt_password_val,
496 		    clnt->nt_password.nt_password_len,
497 		    clnt->domain,
498 		    clnt->username,
499 		    (uchar_t *)token->tkn_session_key);
500 	}
501 
502 	if (!nt_ok && !lm_ok) {
503 		status = NT_STATUS_WRONG_PASSWORD;
504 		syslog(LOG_NOTICE, "SmbLogon[%s\\%s]: %s",
505 		    clnt->real_domain, clnt->real_username,
506 		    xlate_nt_status(status));
507 		return (status);
508 	}
509 
510 	status = smb_token_setup_local(&smbpw, token);
511 	return (status);
512 }
513 
514 /*
515  * If 'clnt' represents an anonymous user (no password)
516  * then setup the token accordingly, otherwise return
517  * NT_STATUS_INVALID_LOGON_TYPE
518  */
519 static uint32_t
520 smb_logon_anon(netr_client_t *clnt, smb_token_t *token)
521 {
522 	if ((clnt->nt_password.nt_password_len == 0) &&
523 	    (clnt->lm_password.lm_password_len == 0 ||
524 	    (clnt->lm_password.lm_password_len == 1 &&
525 	    *clnt->lm_password.lm_password_val == '\0'))) {
526 		return (smb_token_setup_anon(token));
527 	}
528 
529 	return (NT_STATUS_INVALID_LOGON_TYPE);
530 }
531 
532 /*
533  * Setup an access token for the specified local user.
534  */
535 static uint32_t
536 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
537 {
538 	idmap_stat stat;
539 	smb_idmap_batch_t sib;
540 	smb_idmap_t *umap, *gmap;
541 	struct passwd pw;
542 	char pwbuf[1024];
543 	char nbname[NETBIOS_NAME_SZ];
544 
545 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
546 	token->tkn_account_name = strdup(smbpw->pw_name);
547 	token->tkn_domain_name = strdup(nbname);
548 
549 	if (token->tkn_account_name == NULL ||
550 	    token->tkn_domain_name == NULL)
551 		return (NT_STATUS_NO_MEMORY);
552 
553 	if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
554 		return (NT_STATUS_NO_SUCH_USER);
555 
556 	/* Get the SID for user's uid & gid */
557 	stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
558 	if (stat != IDMAP_SUCCESS)
559 		return (NT_STATUS_INTERNAL_ERROR);
560 
561 	umap = &sib.sib_maps[0];
562 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
563 	    SMB_IDMAP_USER);
564 
565 	if (stat != IDMAP_SUCCESS) {
566 		smb_idmap_batch_destroy(&sib);
567 		return (NT_STATUS_INTERNAL_ERROR);
568 	}
569 
570 	gmap = &sib.sib_maps[1];
571 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
572 	    SMB_IDMAP_GROUP);
573 
574 	if (stat != IDMAP_SUCCESS) {
575 		smb_idmap_batch_destroy(&sib);
576 		return (NT_STATUS_INTERNAL_ERROR);
577 	}
578 
579 	if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
580 		return (NT_STATUS_INTERNAL_ERROR);
581 
582 	token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
583 	token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
584 
585 	smb_idmap_batch_destroy(&sib);
586 
587 	if (token->tkn_user.i_sid == NULL ||
588 	    token->tkn_primary_grp.i_sid == NULL)
589 		return (NT_STATUS_NO_MEMORY);
590 
591 	return (smb_token_setup_wingrps(token));
592 }
593 
594 /*
595  * Setup access token for an anonymous connection
596  */
597 static uint32_t
598 smb_token_setup_anon(smb_token_t *token)
599 {
600 	char nbname[NETBIOS_NAME_SZ];
601 	smb_sid_t *user_sid;
602 
603 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
604 	token->tkn_account_name = strdup("Anonymous");
605 	token->tkn_domain_name = strdup("NT Authority");
606 	user_sid = smb_wka_get_sid("Anonymous");
607 	token->tkn_user.i_sid = smb_sid_dup(user_sid);
608 	token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
609 	token->tkn_flags = SMB_ATF_ANON;
610 
611 	if (token->tkn_account_name == NULL ||
612 	    token->tkn_domain_name == NULL ||
613 	    token->tkn_user.i_sid == NULL ||
614 	    token->tkn_primary_grp.i_sid == NULL)
615 		return (NT_STATUS_NO_MEMORY);
616 
617 	return (smb_token_setup_wingrps(token));
618 }
619 
620 /*
621  * smb_token_user_sid
622  *
623  * Return a pointer to the user SID in the specified token. A null
624  * pointer indicates an error.
625  */
626 static smb_sid_t *
627 smb_token_user_sid(smb_token_t *token)
628 {
629 	return ((token) ? token->tkn_user.i_sid : NULL);
630 }
631 
632 /*
633  * smb_token_group_sid
634  *
635  * Return a pointer to the group SID as indicated by the iterator.
636  * Setting the iterator to 0 before calling this function will return
637  * the first group, which will always be the primary group. The
638  * iterator will be incremented before returning the SID so that this
639  * function can be used to cycle through the groups. The caller can
640  * adjust the iterator as required between calls to obtain any specific
641  * group.
642  *
643  * On success a pointer to the appropriate group SID will be returned.
644  * Otherwise a null pointer will be returned.
645  */
646 static smb_sid_t *
647 smb_token_group_sid(smb_token_t *token, int *iterator)
648 {
649 	int index;
650 
651 	if (token == NULL || iterator == NULL)
652 		return (NULL);
653 
654 	if (token->tkn_win_grps.i_ids == NULL)
655 		return (NULL);
656 
657 	index = *iterator;
658 
659 	if (index < 0 || index >= token->tkn_win_grps.i_cnt)
660 		return (NULL);
661 
662 	++(*iterator);
663 	return (token->tkn_win_grps.i_ids[index].i_sid);
664 }
665 
666 /*
667  * smb_token_is_member
668  *
669  * This function will determine whether or not the specified SID is a
670  * member of a token. The user SID and all group SIDs are tested.
671  * Returns 1 if the SID is a member of the token. Otherwise returns 0.
672  */
673 static boolean_t
674 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
675 {
676 	smb_sid_t *tsid;
677 	int iterator = 0;
678 
679 	if (token == NULL || sid == NULL)
680 		return (B_FALSE);
681 
682 	tsid = smb_token_user_sid(token);
683 	while (tsid) {
684 		if (smb_sid_cmp(tsid, sid))
685 			return (B_TRUE);
686 
687 		tsid = smb_token_group_sid(token, &iterator);
688 	}
689 
690 	return (B_FALSE);
691 }
692 
693 /*
694  * smb_token_log
695  *
696  * Diagnostic routine to write the contents of a token to the log.
697  */
698 void
699 smb_token_log(smb_token_t *token)
700 {
701 	smb_ids_t *w_grps;
702 	smb_id_t *grp;
703 	smb_posix_grps_t *x_grps;
704 	char sidstr[SMB_SID_STRSZ];
705 	int i;
706 
707 	if (token == NULL)
708 		return;
709 
710 	syslog(LOG_DEBUG, "Token for %s\\%s",
711 	    (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
712 	    (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
713 
714 	syslog(LOG_DEBUG, "   User->Attr: %d", token->tkn_user.i_attrs);
715 	smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
716 	syslog(LOG_DEBUG, "   User->Sid: %s (id=%u)", sidstr,
717 	    token->tkn_user.i_id);
718 
719 	smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
720 	syslog(LOG_DEBUG, "   Ownr->Sid: %s (id=%u)",
721 	    sidstr, token->tkn_owner.i_id);
722 
723 	smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
724 	syslog(LOG_DEBUG, "   PGrp->Sid: %s (id=%u)",
725 	    sidstr, token->tkn_primary_grp.i_id);
726 
727 	w_grps = &token->tkn_win_grps;
728 	if (w_grps->i_ids) {
729 		syslog(LOG_DEBUG, "   Windows groups: %d", w_grps->i_cnt);
730 		grp = w_grps->i_ids;
731 		for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
732 			syslog(LOG_DEBUG,
733 			    "    Grp[%d].Attr:%d", i, grp->i_attrs);
734 			if (grp->i_sid != NULL) {
735 				smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
736 				syslog(LOG_DEBUG,
737 				    "    Grp[%d].Sid: %s (id=%u)", i, sidstr,
738 				    grp->i_id);
739 			}
740 		}
741 	} else {
742 		syslog(LOG_DEBUG, "   No Windows groups");
743 	}
744 
745 	x_grps = token->tkn_posix_grps;
746 	if (x_grps) {
747 		syslog(LOG_DEBUG, "   Solaris groups: %d", x_grps->pg_ngrps);
748 		for (i = 0; i < x_grps->pg_ngrps; i++)
749 			syslog(LOG_DEBUG, "    %u", x_grps->pg_grps[i]);
750 	} else {
751 		syslog(LOG_DEBUG, "   No Solaris groups");
752 	}
753 
754 	if (token->tkn_privileges)
755 		smb_privset_log(token->tkn_privileges);
756 	else
757 		syslog(LOG_DEBUG, "   No privileges");
758 }
759 
760 /*
761  * Sets up local and well-known group membership for the given
762  * token. Two assumptions have been made here:
763  *
764  *   a) token already contains a valid user SID so that group
765  *      memberships can be established
766  *
767  *   b) token belongs to a local or anonymous user
768  */
769 static uint32_t
770 smb_token_setup_wingrps(smb_token_t *token)
771 {
772 	smb_ids_t tkn_grps;
773 	uint32_t status;
774 
775 
776 	/*
777 	 * We always want the user's primary group in the list
778 	 * of groups.
779 	 */
780 	tkn_grps.i_cnt = 1;
781 	if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
782 		return (NT_STATUS_NO_MEMORY);
783 
784 	tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
785 	tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
786 	if (tkn_grps.i_ids->i_sid == NULL) {
787 		smb_ids_free(&tkn_grps);
788 		return (NT_STATUS_NO_MEMORY);
789 	}
790 
791 	status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
792 	if (status != NT_STATUS_SUCCESS) {
793 		smb_ids_free(&tkn_grps);
794 		return (status);
795 	}
796 
797 	if ((token->tkn_flags & SMB_ATF_ANON) == 0) {
798 		status = smb_wka_token_groups(B_FALSE, &tkn_grps);
799 		if (status != NT_STATUS_SUCCESS) {
800 			smb_ids_free(&tkn_grps);
801 			return (status);
802 		}
803 	}
804 
805 	token->tkn_win_grps = tkn_grps;
806 	return (status);
807 }
808