1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2016 by Delphix. All rights reserved. 24 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 25 */ 26 27 #include <unistd.h> 28 #include <strings.h> 29 #include <pwd.h> 30 #include <grp.h> 31 #include <time.h> 32 #include <syslog.h> 33 #include <assert.h> 34 #include <synch.h> 35 36 #include <smbsrv/libsmb.h> 37 #include <smbsrv/libmlsvc.h> 38 39 #include <smbsrv/smbinfo.h> 40 #include <smbsrv/smb_token.h> 41 #include <lsalib.h> 42 43 static smb_account_t smb_guest; 44 static smb_account_t smb_domusers; 45 static rwlock_t smb_logoninit_rwl; 46 47 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *); 48 49 static void smb_logon_local(smb_logon_t *, smb_token_t *); 50 static void smb_logon_guest(smb_logon_t *, smb_token_t *); 51 static void smb_logon_anon(smb_logon_t *, smb_token_t *); 52 53 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *, 54 smb_passwd_t *); 55 56 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 57 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *); 58 static uint32_t smb_token_setup_anon(smb_token_t *token); 59 60 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 61 static uint32_t smb_token_setup_wingrps(smb_token_t *); 62 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 63 64 static void smb_guest_account(char *, size_t); 65 66 /* Consolidation private function from Network Repository */ 67 extern int _getgroupsbymember(const char *, gid_t[], int, int); 68 69 static idmap_stat 70 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 71 { 72 idmap_stat stat; 73 smb_idmap_t *sim; 74 smb_id_t *id; 75 int i; 76 77 if (!token || !sib) 78 return (IDMAP_ERR_ARG); 79 80 sim = sib->sib_maps; 81 82 if (token->tkn_flags & SMB_ATF_ANON) { 83 token->tkn_user.i_id = UID_NOBODY; 84 token->tkn_owner.i_id = UID_NOBODY; 85 } else { 86 /* User SID */ 87 id = &token->tkn_user; 88 sim->sim_id = &id->i_id; 89 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 90 id->i_sid, SMB_IDMAP_USER); 91 92 if (stat != IDMAP_SUCCESS) 93 return (stat); 94 95 /* Owner SID */ 96 id = &token->tkn_owner; 97 sim->sim_id = &id->i_id; 98 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 99 id->i_sid, SMB_IDMAP_USER); 100 101 if (stat != IDMAP_SUCCESS) 102 return (stat); 103 } 104 105 /* Primary Group SID */ 106 id = &token->tkn_primary_grp; 107 sim->sim_id = &id->i_id; 108 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 109 SMB_IDMAP_GROUP); 110 111 if (stat != IDMAP_SUCCESS) 112 return (stat); 113 114 /* Other Windows Group SIDs */ 115 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 116 id = &token->tkn_win_grps.i_ids[i]; 117 sim->sim_id = &id->i_id; 118 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 119 id->i_sid, SMB_IDMAP_GROUP); 120 121 if (stat != IDMAP_SUCCESS) 122 break; 123 } 124 125 return (stat); 126 } 127 128 /* 129 * smb_token_sids2ids 130 * 131 * This will map all the SIDs of the access token to UIDs/GIDs. 132 * 133 * Returns 0 upon success. Otherwise, returns -1. 134 */ 135 static int 136 smb_token_sids2ids(smb_token_t *token) 137 { 138 idmap_stat stat; 139 int nmaps; 140 smb_idmap_batch_t sib; 141 142 /* 143 * Number of idmap lookups: user SID, owner SID, primary group SID, 144 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 145 */ 146 if (token->tkn_flags & SMB_ATF_ANON) 147 nmaps = token->tkn_win_grps.i_cnt + 1; 148 else 149 nmaps = token->tkn_win_grps.i_cnt + 3; 150 151 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID); 152 if (stat != IDMAP_SUCCESS) 153 return (-1); 154 155 stat = smb_token_idmap(token, &sib); 156 if (stat != IDMAP_SUCCESS) { 157 smb_idmap_batch_destroy(&sib); 158 return (-1); 159 } 160 161 stat = smb_idmap_batch_getmappings(&sib); 162 smb_idmap_check("smb_idmap_batch_getmappings", stat); 163 smb_idmap_batch_destroy(&sib); 164 165 return (stat == IDMAP_SUCCESS ? 0 : -1); 166 } 167 168 /* 169 * smb_token_create_pxgrps 170 * 171 * Setup the POSIX group membership of the access token if the given UID is 172 * a POSIX UID (non-ephemeral). Both the user's primary group and 173 * supplementary groups will be added to the POSIX group array of the access 174 * token. 175 */ 176 static smb_posix_grps_t * 177 smb_token_create_pxgrps(uid_t uid) 178 { 179 struct passwd *pwd; 180 smb_posix_grps_t *pgrps; 181 int ngroups_max, num; 182 gid_t *gids; 183 184 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 185 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 186 return (NULL); 187 } 188 189 pwd = getpwuid(uid); 190 if (pwd == NULL) { 191 pgrps = malloc(sizeof (smb_posix_grps_t)); 192 if (pgrps == NULL) 193 return (NULL); 194 195 pgrps->pg_ngrps = 0; 196 return (pgrps); 197 } 198 199 if (pwd->pw_name == NULL) { 200 pgrps = malloc(sizeof (smb_posix_grps_t)); 201 if (pgrps == NULL) 202 return (NULL); 203 204 pgrps->pg_ngrps = 1; 205 pgrps->pg_grps[0] = pwd->pw_gid; 206 return (pgrps); 207 } 208 209 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 210 if (gids == NULL) { 211 return (NULL); 212 } 213 bzero(gids, ngroups_max * sizeof (gid_t)); 214 215 gids[0] = pwd->pw_gid; 216 217 /* 218 * Setup the groups starting at index 1 (the last arg) 219 * of gids array. 220 */ 221 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 222 223 if (num == -1) { 224 syslog(LOG_ERR, "smb_logon: unable " 225 "to get user's supplementary groups"); 226 num = 1; 227 } 228 229 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 230 if (pgrps) { 231 pgrps->pg_ngrps = num; 232 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 233 } 234 235 free(gids); 236 return (pgrps); 237 } 238 239 /* 240 * smb_token_destroy 241 * 242 * Release all of the memory associated with a token structure. Ensure 243 * that the token has been unlinked before calling. 244 */ 245 void 246 smb_token_destroy(smb_token_t *token) 247 { 248 if (token != NULL) { 249 smb_sid_free(token->tkn_user.i_sid); 250 smb_sid_free(token->tkn_owner.i_sid); 251 smb_sid_free(token->tkn_primary_grp.i_sid); 252 smb_ids_free(&token->tkn_win_grps); 253 smb_privset_free(token->tkn_privileges); 254 free(token->tkn_posix_grps); 255 free(token->tkn_account_name); 256 free(token->tkn_domain_name); 257 free(token->tkn_ssnkey.val); 258 bzero(token, sizeof (smb_token_t)); 259 free(token); 260 } 261 } 262 263 /* 264 * Token owner should be set to local Administrators group 265 * in two cases: 266 * 1. The logged on user is a member of Domain Admins group 267 * 2. They are a member of local Administrators group 268 */ 269 static void 270 smb_token_set_owner(smb_token_t *token) 271 { 272 #ifdef SMB_SUPPORT_GROUP_OWNER 273 smb_sid_t *owner_sid; 274 275 if (token->tkn_flags & SMB_ATF_ADMIN) { 276 owner_sid = smb_wka_get_sid("Administrators"); 277 assert(owner_sid); 278 } else { 279 owner_sid = token->tkn_user->i_sid; 280 } 281 282 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 283 #endif 284 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 285 } 286 287 static smb_privset_t * 288 smb_token_create_privs(smb_token_t *token) 289 { 290 smb_privset_t *privs; 291 smb_giter_t gi; 292 smb_group_t grp; 293 int rc; 294 295 privs = smb_privset_new(); 296 if (privs == NULL) 297 return (NULL); 298 299 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 300 smb_privset_free(privs); 301 return (NULL); 302 } 303 304 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 305 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 306 smb_privset_merge(privs, grp.sg_privs); 307 smb_lgrp_free(&grp); 308 } 309 smb_lgrp_iterclose(&gi); 310 311 if (token->tkn_flags & SMB_ATF_ADMIN) { 312 char admgrp[] = "Administrators"; 313 314 rc = smb_lgrp_getbyname(admgrp, &grp); 315 if (rc == SMB_LGRP_SUCCESS) { 316 smb_privset_merge(privs, grp.sg_privs); 317 smb_lgrp_free(&grp); 318 } 319 320 /* 321 * This privilege is required to view/edit SACL 322 */ 323 smb_privset_enable(privs, SE_SECURITY_LUID); 324 } 325 326 return (privs); 327 } 328 329 static void 330 smb_token_set_flags(smb_token_t *token) 331 { 332 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 333 token->tkn_flags |= SMB_ATF_ADMIN; 334 335 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 336 token->tkn_flags |= SMB_ATF_POWERUSER; 337 338 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 339 token->tkn_flags |= SMB_ATF_BACKUPOP; 340 } 341 342 /* 343 * Common token setup for both local and domain users. 344 * This function must be called after the initial setup 345 * has been done. 346 * 347 * Note that the order of calls in this function are important. 348 * 349 * Returns B_TRUE for success. 350 */ 351 boolean_t 352 smb_token_setup_common(smb_token_t *token) 353 { 354 smb_token_set_flags(token); 355 356 smb_token_set_owner(token); 357 if (token->tkn_owner.i_sid == NULL) 358 return (B_FALSE); 359 360 /* Privileges */ 361 token->tkn_privileges = smb_token_create_privs(token); 362 if (token->tkn_privileges == NULL) 363 return (B_FALSE); 364 365 if (smb_token_sids2ids(token) != 0) { 366 syslog(LOG_ERR, "%s\\%s: idmap failed", 367 token->tkn_domain_name, token->tkn_account_name); 368 return (B_FALSE); 369 } 370 371 /* Solaris Groups */ 372 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 373 374 return (smb_token_valid(token)); 375 } 376 377 uint32_t 378 smb_logon_init(void) 379 { 380 uint32_t status; 381 382 (void) rw_wrlock(&smb_logoninit_rwl); 383 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest); 384 if (status != NT_STATUS_SUCCESS) { 385 (void) rw_unlock(&smb_logoninit_rwl); 386 return (status); 387 } 388 389 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup, 390 &smb_domusers); 391 if (status != NT_STATUS_SUCCESS) { 392 smb_account_free(&smb_guest); 393 bzero(&smb_guest, sizeof (smb_account_t)); 394 (void) rw_unlock(&smb_logoninit_rwl); 395 return (status); 396 } 397 398 (void) rw_unlock(&smb_logoninit_rwl); 399 return (status); 400 } 401 402 void 403 smb_logon_fini(void) 404 { 405 (void) rw_wrlock(&smb_logoninit_rwl); 406 smb_account_free(&smb_guest); 407 smb_account_free(&smb_domusers); 408 bzero(&smb_guest, sizeof (smb_account_t)); 409 bzero(&smb_domusers, sizeof (smb_account_t)); 410 (void) rw_unlock(&smb_logoninit_rwl); 411 } 412 413 /* 414 * Perform user authentication. 415 * 416 * The dispatched functions must only update the user_info status if they 417 * attempt to authenticate the user. 418 * 419 * On success, a pointer to a new access token is returned. 420 * On failure, NULL return and status in user_info->lg_status 421 */ 422 smb_token_t * 423 smb_logon(smb_logon_t *user_info) 424 { 425 static smb_logonop_t ops[] = { 426 smb_logon_anon, 427 smb_logon_local, 428 smb_logon_domain, 429 smb_logon_guest 430 }; 431 smb_token_t *token = NULL; 432 smb_domain_t domain; 433 int n_op = (sizeof (ops) / sizeof (ops[0])); 434 int i; 435 436 user_info->lg_secmode = smb_config_get_secmode(); 437 438 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain)) 439 user_info->lg_domain_type = domain.di_type; 440 else 441 user_info->lg_domain_type = SMB_DOMAIN_NULL; 442 443 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) { 444 syslog(LOG_ERR, "logon[%s\\%s]: %m", 445 user_info->lg_e_domain, user_info->lg_e_username); 446 return (NULL); 447 } 448 449 /* 450 * If any logonop function takes significant action 451 * (logon or authoratative failure) it will change 452 * this status field to something else. 453 */ 454 user_info->lg_status = NT_STATUS_NO_SUCH_USER; 455 for (i = 0; i < n_op; ++i) { 456 (*ops[i])(user_info, token); 457 458 if (user_info->lg_status == NT_STATUS_SUCCESS) 459 break; 460 } 461 462 if (user_info->lg_status == NT_STATUS_SUCCESS) { 463 if (smb_token_setup_common(token)) 464 return (token); /* success */ 465 /* 466 * (else) smb_token_setup_common failed, which usually 467 * means smb_token_sids2ids() failed to map some SIDs to 468 * Unix IDs. This indicates an idmap config problem. 469 */ 470 user_info->lg_status = NT_STATUS_INTERNAL_ERROR; 471 } 472 473 smb_token_destroy(token); 474 475 /* 476 * Any unknown user or bad password should result in 477 * NT_STATUS_LOGON_FAILURE (so we don't give hints). 478 */ 479 if (user_info->lg_status == NT_STATUS_NO_SUCH_USER || 480 user_info->lg_status == NT_STATUS_WRONG_PASSWORD) 481 user_info->lg_status = NT_STATUS_LOGON_FAILURE; 482 483 return (NULL); 484 } 485 486 /* 487 * If the user has an entry in the local database, attempt local authentication. 488 * 489 * In domain mode, we try to exclude domain accounts, which we do by only 490 * accepting local or null (blank) domain names here. Some clients (Mac OS) 491 * don't always send the domain name. 492 * 493 * If we are not going to attempt authentication, this function must return 494 * without updating the status. 495 */ 496 static void 497 smb_logon_local(smb_logon_t *user_info, smb_token_t *token) 498 { 499 char guest[SMB_USERNAME_MAXLEN]; 500 smb_passwd_t smbpw; 501 uint32_t status; 502 503 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) { 504 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) && 505 (user_info->lg_domain_type != SMB_DOMAIN_NULL)) 506 return; 507 } 508 509 /* 510 * If the requested account name is "guest" (or whatever 511 * our guest account is named) then don't handle it here. 512 * Let this request fall through to smb_logon_guest(). 513 */ 514 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 515 if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0) 516 return; 517 518 status = smb_token_auth_local(user_info, token, &smbpw); 519 if (status == NT_STATUS_SUCCESS) 520 status = smb_token_setup_local(&smbpw, token); 521 522 user_info->lg_status = status; 523 } 524 525 /* 526 * Guest authentication. This may be a local guest account or the guest 527 * account may be mapped to a local account. These accounts are regular 528 * accounts with normal password protection. 529 * 530 * Only proceed with a guest logon if previous logon options have resulted 531 * in NO_SUCH_USER. 532 * 533 * If we are not going to attempt authentication, this function must return 534 * without updating the status. 535 */ 536 static void 537 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token) 538 { 539 char guest[SMB_USERNAME_MAXLEN]; 540 smb_passwd_t smbpw; 541 char *temp; 542 543 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER) 544 return; 545 546 /* Get the name of the guest account. */ 547 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 548 549 /* Does the guest account exist? */ 550 if (smb_pwd_getpwnam(guest, &smbpw) == NULL) 551 return; 552 553 /* Is it enabled? (empty p/w is OK) */ 554 if (smbpw.pw_flags & SMB_PWF_DISABLE) 555 return; 556 557 /* 558 * OK, give the client a guest logon. Note that on entry, 559 * lg_e_username is typically something other than "guest" 560 * so we need to set the effective username when createing 561 * the guest token. 562 */ 563 temp = user_info->lg_e_username; 564 user_info->lg_e_username = guest; 565 user_info->lg_status = smb_token_setup_guest(user_info, token); 566 user_info->lg_e_username = temp; 567 } 568 569 /* 570 * If user_info represents an anonymous user then setup the token. 571 * Otherwise return without updating the status. 572 */ 573 static void 574 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token) 575 { 576 if (user_info->lg_flags & SMB_ATF_ANON) 577 user_info->lg_status = smb_token_setup_anon(token); 578 } 579 580 /* 581 * Try both LM hash and NT hashes with user's password(s) to authenticate 582 * the user. 583 */ 584 static uint32_t 585 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token, 586 smb_passwd_t *smbpw) 587 { 588 boolean_t ok; 589 uint32_t status = NT_STATUS_SUCCESS; 590 591 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL) 592 return (NT_STATUS_NO_SUCH_USER); 593 594 if (smbpw->pw_flags & SMB_PWF_DISABLE) 595 return (NT_STATUS_ACCOUNT_DISABLED); 596 597 if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) { 598 /* 599 * The SMB passwords have not been set. 600 * Return an error that suggests the 601 * password needs to be set. 602 */ 603 return (NT_STATUS_PASSWORD_EXPIRED); 604 } 605 606 token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ); 607 if (token->tkn_ssnkey.val == NULL) 608 return (NT_STATUS_NO_MEMORY); 609 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 610 611 ok = smb_auth_validate( 612 smbpw, 613 user_info->lg_domain, 614 user_info->lg_username, 615 user_info->lg_challenge_key.val, 616 user_info->lg_challenge_key.len, 617 user_info->lg_nt_password.val, 618 user_info->lg_nt_password.len, 619 user_info->lg_lm_password.val, 620 user_info->lg_lm_password.len, 621 token->tkn_ssnkey.val); 622 if (ok) 623 return (NT_STATUS_SUCCESS); 624 625 free(token->tkn_ssnkey.val); 626 token->tkn_ssnkey.val = NULL; 627 token->tkn_ssnkey.len = 0; 628 629 status = NT_STATUS_WRONG_PASSWORD; 630 syslog(LOG_NOTICE, "logon[%s\\%s]: %s", 631 user_info->lg_e_domain, user_info->lg_e_username, 632 xlate_nt_status(status)); 633 634 return (status); 635 } 636 637 /* 638 * Setup an access token for the specified local user. 639 */ 640 static uint32_t 641 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 642 { 643 idmap_stat stat; 644 smb_idmap_batch_t sib; 645 smb_idmap_t *umap, *gmap; 646 struct passwd pw; 647 char pwbuf[1024]; 648 char nbname[NETBIOS_NAME_SZ]; 649 650 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 651 token->tkn_account_name = strdup(smbpw->pw_name); 652 token->tkn_domain_name = strdup(nbname); 653 654 if (token->tkn_account_name == NULL || 655 token->tkn_domain_name == NULL) 656 return (NT_STATUS_NO_MEMORY); 657 658 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 659 return (NT_STATUS_NO_SUCH_USER); 660 661 /* Get the SID for user's uid & gid */ 662 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 663 if (stat != IDMAP_SUCCESS) 664 return (NT_STATUS_INTERNAL_ERROR); 665 666 umap = &sib.sib_maps[0]; 667 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 668 SMB_IDMAP_USER); 669 670 if (stat != IDMAP_SUCCESS) { 671 smb_idmap_batch_destroy(&sib); 672 return (NT_STATUS_INTERNAL_ERROR); 673 } 674 675 gmap = &sib.sib_maps[1]; 676 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 677 SMB_IDMAP_GROUP); 678 679 if (stat != IDMAP_SUCCESS) { 680 smb_idmap_batch_destroy(&sib); 681 return (NT_STATUS_INTERNAL_ERROR); 682 } 683 684 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS) 685 return (NT_STATUS_INTERNAL_ERROR); 686 687 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 688 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 689 690 smb_idmap_batch_destroy(&sib); 691 692 if (token->tkn_user.i_sid == NULL || 693 token->tkn_primary_grp.i_sid == NULL) 694 return (NT_STATUS_NO_MEMORY); 695 696 return (smb_token_setup_wingrps(token)); 697 } 698 699 /* 700 * Setup access token for guest connections 701 */ 702 static uint32_t 703 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token) 704 { 705 token->tkn_account_name = strdup(user_info->lg_e_username); 706 707 (void) rw_rdlock(&smb_logoninit_rwl); 708 token->tkn_domain_name = strdup(smb_guest.a_domain); 709 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid); 710 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid); 711 (void) rw_unlock(&smb_logoninit_rwl); 712 token->tkn_flags = SMB_ATF_GUEST; 713 714 if (token->tkn_account_name == NULL || 715 token->tkn_domain_name == NULL || 716 token->tkn_user.i_sid == NULL || 717 token->tkn_primary_grp.i_sid == NULL) 718 return (NT_STATUS_NO_MEMORY); 719 720 return (smb_token_setup_wingrps(token)); 721 } 722 723 /* 724 * Setup access token for anonymous connections 725 */ 726 static uint32_t 727 smb_token_setup_anon(smb_token_t *token) 728 { 729 smb_sid_t *user_sid; 730 731 token->tkn_account_name = strdup("Anonymous"); 732 token->tkn_domain_name = strdup("NT Authority"); 733 user_sid = smb_wka_get_sid("Anonymous"); 734 token->tkn_user.i_sid = smb_sid_dup(user_sid); 735 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 736 token->tkn_flags = SMB_ATF_ANON; 737 738 if (token->tkn_account_name == NULL || 739 token->tkn_domain_name == NULL || 740 token->tkn_user.i_sid == NULL || 741 token->tkn_primary_grp.i_sid == NULL) 742 return (NT_STATUS_NO_MEMORY); 743 744 return (smb_token_setup_wingrps(token)); 745 } 746 747 /* 748 * smb_token_user_sid 749 * 750 * Return a pointer to the user SID in the specified token. A null 751 * pointer indicates an error. 752 */ 753 static smb_sid_t * 754 smb_token_user_sid(smb_token_t *token) 755 { 756 return ((token) ? token->tkn_user.i_sid : NULL); 757 } 758 759 /* 760 * smb_token_group_sid 761 * 762 * Return a pointer to the group SID as indicated by the iterator. 763 * Setting the iterator to 0 before calling this function will return 764 * the first group, which will always be the primary group. The 765 * iterator will be incremented before returning the SID so that this 766 * function can be used to cycle through the groups. The caller can 767 * adjust the iterator as required between calls to obtain any specific 768 * group. 769 * 770 * On success a pointer to the appropriate group SID will be returned. 771 * Otherwise a null pointer will be returned. 772 */ 773 static smb_sid_t * 774 smb_token_group_sid(smb_token_t *token, int *iterator) 775 { 776 int index; 777 778 if (token == NULL || iterator == NULL) 779 return (NULL); 780 781 if (token->tkn_win_grps.i_ids == NULL) 782 return (NULL); 783 784 index = *iterator; 785 786 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 787 return (NULL); 788 789 ++(*iterator); 790 return (token->tkn_win_grps.i_ids[index].i_sid); 791 } 792 793 /* 794 * smb_token_is_member 795 * 796 * This function will determine whether or not the specified SID is a 797 * member of a token. The user SID and all group SIDs are tested. 798 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 799 */ 800 static boolean_t 801 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 802 { 803 smb_sid_t *tsid; 804 int iterator = 0; 805 806 if (token == NULL || sid == NULL) 807 return (B_FALSE); 808 809 tsid = smb_token_user_sid(token); 810 while (tsid) { 811 if (smb_sid_cmp(tsid, sid)) 812 return (B_TRUE); 813 814 tsid = smb_token_group_sid(token, &iterator); 815 } 816 817 return (B_FALSE); 818 } 819 820 /* 821 * smb_token_log 822 * 823 * Diagnostic routine to write the contents of a token to the log. 824 */ 825 void 826 smb_token_log(smb_token_t *token) 827 { 828 smb_ids_t *w_grps; 829 smb_id_t *grp; 830 smb_posix_grps_t *x_grps; 831 char sidstr[SMB_SID_STRSZ]; 832 int i; 833 834 if (token == NULL) 835 return; 836 837 syslog(LOG_DEBUG, "Token for %s\\%s", 838 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 839 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 840 841 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 842 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 843 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 844 token->tkn_user.i_id); 845 846 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 847 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 848 sidstr, token->tkn_owner.i_id); 849 850 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 851 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 852 sidstr, token->tkn_primary_grp.i_id); 853 854 w_grps = &token->tkn_win_grps; 855 if (w_grps->i_ids) { 856 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 857 grp = w_grps->i_ids; 858 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 859 syslog(LOG_DEBUG, 860 " Grp[%d].Attr:%d", i, grp->i_attrs); 861 if (grp->i_sid != NULL) { 862 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 863 syslog(LOG_DEBUG, 864 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 865 grp->i_id); 866 } 867 } 868 } else { 869 syslog(LOG_DEBUG, " No Windows groups"); 870 } 871 872 x_grps = token->tkn_posix_grps; 873 if (x_grps) { 874 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 875 for (i = 0; i < x_grps->pg_ngrps; i++) 876 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 877 } else { 878 syslog(LOG_DEBUG, " No Solaris groups"); 879 } 880 881 if (token->tkn_privileges) 882 smb_privset_log(token->tkn_privileges); 883 else 884 syslog(LOG_DEBUG, " No privileges"); 885 } 886 887 /* 888 * Sets up local and well-known group membership for the given 889 * token. Two assumptions have been made here: 890 * 891 * a) token already contains a valid user SID so that group 892 * memberships can be established 893 * 894 * b) token belongs to a local or anonymous user 895 */ 896 static uint32_t 897 smb_token_setup_wingrps(smb_token_t *token) 898 { 899 smb_ids_t tkn_grps; 900 uint32_t status; 901 902 903 /* 904 * We always want the user's primary group in the list 905 * of groups. 906 */ 907 tkn_grps.i_cnt = 1; 908 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 909 return (NT_STATUS_NO_MEMORY); 910 911 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 912 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 913 if (tkn_grps.i_ids->i_sid == NULL) { 914 smb_ids_free(&tkn_grps); 915 return (NT_STATUS_NO_MEMORY); 916 } 917 918 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 919 if (status != NT_STATUS_SUCCESS) { 920 smb_ids_free(&tkn_grps); 921 return (status); 922 } 923 924 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps); 925 if (status != NT_STATUS_SUCCESS) { 926 smb_ids_free(&tkn_grps); 927 return (status); 928 } 929 930 token->tkn_win_grps = tkn_grps; 931 return (status); 932 } 933 934 /* 935 * Returns the guest account name in the provided buffer. 936 * 937 * By default the name would be "guest" unless there's 938 * a idmap name-based rule which maps the guest to a local 939 * Solaris user in which case the name of that user is 940 * returned. 941 */ 942 static void 943 smb_guest_account(char *guest, size_t buflen) 944 { 945 idmap_stat stat; 946 uid_t guest_uid; 947 struct passwd pw; 948 char pwbuf[1024]; 949 int idtype; 950 951 /* default Guest account name */ 952 (void) rw_rdlock(&smb_logoninit_rwl); 953 (void) strlcpy(guest, smb_guest.a_name, buflen); 954 955 idtype = SMB_IDMAP_USER; 956 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype); 957 (void) rw_unlock(&smb_logoninit_rwl); 958 959 if (stat != IDMAP_SUCCESS) 960 return; 961 962 /* If Ephemeral ID return the default name */ 963 if (IDMAP_ID_IS_EPHEMERAL(guest_uid)) 964 return; 965 966 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 967 return; 968 969 (void) strlcpy(guest, pw.pw_name, buflen); 970 } 971