xref: /illumos-gate/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c (revision fb2a9bae0030340ad72b9c26ba1ffee2ee3cafec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <unistd.h>
27 #include <strings.h>
28 #include <pwd.h>
29 #include <grp.h>
30 #include <time.h>
31 #include <syslog.h>
32 #include <assert.h>
33 #include <synch.h>
34 
35 #include <smbsrv/libsmb.h>
36 #include <smbsrv/libmlsvc.h>
37 
38 #include <smbsrv/smbinfo.h>
39 #include <smbsrv/smb_token.h>
40 #include <lsalib.h>
41 
42 static smb_account_t smb_guest;
43 static smb_account_t smb_domusers;
44 static rwlock_t smb_logoninit_rwl;
45 
46 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
47 
48 extern void smb_logon_domain(smb_logon_t *, smb_token_t *);
49 static void smb_logon_local(smb_logon_t *, smb_token_t *);
50 static void smb_logon_guest(smb_logon_t *, smb_token_t *);
51 static void smb_logon_anon(smb_logon_t *, smb_token_t *);
52 
53 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
54     smb_passwd_t *);
55 
56 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
57 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
58 static uint32_t smb_token_setup_anon(smb_token_t *token);
59 
60 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
61 static uint32_t smb_token_setup_wingrps(smb_token_t *);
62 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
63 
64 static void smb_guest_account(char *, size_t);
65 
66 /* Consolidation private function from Network Repository */
67 extern int _getgroupsbymember(const char *, gid_t[], int, int);
68 
69 static idmap_stat
70 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
71 {
72 	idmap_stat stat;
73 	smb_idmap_t *sim;
74 	smb_id_t *id;
75 	int i;
76 
77 	if (!token || !sib)
78 		return (IDMAP_ERR_ARG);
79 
80 	sim = sib->sib_maps;
81 
82 	if (token->tkn_flags & SMB_ATF_ANON) {
83 		token->tkn_user.i_id = UID_NOBODY;
84 		token->tkn_owner.i_id = UID_NOBODY;
85 	} else {
86 		/* User SID */
87 		id = &token->tkn_user;
88 		sim->sim_id = &id->i_id;
89 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
90 		    id->i_sid, SMB_IDMAP_USER);
91 
92 		if (stat != IDMAP_SUCCESS)
93 			return (stat);
94 
95 		/* Owner SID */
96 		id = &token->tkn_owner;
97 		sim->sim_id = &id->i_id;
98 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
99 		    id->i_sid, SMB_IDMAP_USER);
100 
101 		if (stat != IDMAP_SUCCESS)
102 			return (stat);
103 	}
104 
105 	/* Primary Group SID */
106 	id = &token->tkn_primary_grp;
107 	sim->sim_id = &id->i_id;
108 	stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
109 	    SMB_IDMAP_GROUP);
110 
111 	if (stat != IDMAP_SUCCESS)
112 		return (stat);
113 
114 	/* Other Windows Group SIDs */
115 	for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
116 		id = &token->tkn_win_grps.i_ids[i];
117 		sim->sim_id = &id->i_id;
118 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
119 		    id->i_sid, SMB_IDMAP_GROUP);
120 
121 		if (stat != IDMAP_SUCCESS)
122 			break;
123 	}
124 
125 	return (stat);
126 }
127 
128 /*
129  * smb_token_sids2ids
130  *
131  * This will map all the SIDs of the access token to UIDs/GIDs.
132  *
133  * Returns 0 upon success.  Otherwise, returns -1.
134  */
135 static int
136 smb_token_sids2ids(smb_token_t *token)
137 {
138 	idmap_stat stat;
139 	int nmaps, retries = 0;
140 	smb_idmap_batch_t sib;
141 
142 	/*
143 	 * Number of idmap lookups: user SID, owner SID, primary group SID,
144 	 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
145 	 */
146 	if (token->tkn_flags & SMB_ATF_ANON)
147 		nmaps = token->tkn_win_grps.i_cnt + 1;
148 	else
149 		nmaps = token->tkn_win_grps.i_cnt + 3;
150 
151 	do {
152 		stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
153 		if (stat != IDMAP_SUCCESS)
154 			return (-1);
155 
156 		stat = smb_token_idmap(token, &sib);
157 		if (stat != IDMAP_SUCCESS) {
158 			smb_idmap_batch_destroy(&sib);
159 			return (-1);
160 		}
161 
162 		stat = smb_idmap_batch_getmappings(&sib);
163 		smb_idmap_batch_destroy(&sib);
164 		smb_idmap_check("smb_idmap_batch_getmappings", stat);
165 	} while (stat == IDMAP_ERR_RPC_HANDLE && retries++ < 3);
166 
167 	return (stat == IDMAP_SUCCESS ? 0 : -1);
168 }
169 
170 /*
171  * smb_token_create_pxgrps
172  *
173  * Setup the POSIX group membership of the access token if the given UID is
174  * a POSIX UID (non-ephemeral). Both the user's primary group and
175  * supplementary groups will be added to the POSIX group array of the access
176  * token.
177  */
178 static smb_posix_grps_t *
179 smb_token_create_pxgrps(uid_t uid)
180 {
181 	struct passwd *pwd;
182 	smb_posix_grps_t *pgrps;
183 	int ngroups_max, num;
184 	gid_t *gids;
185 
186 	if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
187 		syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
188 		return (NULL);
189 	}
190 
191 	pwd = getpwuid(uid);
192 	if (pwd == NULL) {
193 		pgrps = malloc(sizeof (smb_posix_grps_t));
194 		if (pgrps == NULL)
195 			return (NULL);
196 
197 		pgrps->pg_ngrps = 0;
198 		return (pgrps);
199 	}
200 
201 	if (pwd->pw_name == NULL) {
202 		pgrps = malloc(sizeof (smb_posix_grps_t));
203 		if (pgrps == NULL)
204 			return (NULL);
205 
206 		pgrps->pg_ngrps = 1;
207 		pgrps->pg_grps[0] = pwd->pw_gid;
208 		return (pgrps);
209 	}
210 
211 	gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
212 	if (gids == NULL) {
213 		return (NULL);
214 	}
215 	bzero(gids, ngroups_max * sizeof (gid_t));
216 
217 	gids[0] = pwd->pw_gid;
218 
219 	/*
220 	 * Setup the groups starting at index 1 (the last arg)
221 	 * of gids array.
222 	 */
223 	num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
224 
225 	if (num == -1) {
226 		syslog(LOG_ERR, "smb_logon: unable "
227 		    "to get user's supplementary groups");
228 		num = 1;
229 	}
230 
231 	pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
232 	if (pgrps) {
233 		pgrps->pg_ngrps = num;
234 		bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
235 	}
236 
237 	free(gids);
238 	return (pgrps);
239 }
240 
241 /*
242  * smb_token_destroy
243  *
244  * Release all of the memory associated with a token structure. Ensure
245  * that the token has been unlinked before calling.
246  */
247 void
248 smb_token_destroy(smb_token_t *token)
249 {
250 	if (token != NULL) {
251 		smb_sid_free(token->tkn_user.i_sid);
252 		smb_sid_free(token->tkn_owner.i_sid);
253 		smb_sid_free(token->tkn_primary_grp.i_sid);
254 		smb_ids_free(&token->tkn_win_grps);
255 		smb_privset_free(token->tkn_privileges);
256 		free(token->tkn_posix_grps);
257 		free(token->tkn_account_name);
258 		free(token->tkn_domain_name);
259 		free(token->tkn_session_key);
260 		bzero(token, sizeof (smb_token_t));
261 		free(token);
262 	}
263 }
264 
265 /*
266  * Token owner should be set to local Administrators group
267  * in two cases:
268  *   1. The logged on user is a member of Domain Admins group
269  *   2. he/she is a member of local Administrators group
270  */
271 static void
272 smb_token_set_owner(smb_token_t *token)
273 {
274 #ifdef SMB_SUPPORT_GROUP_OWNER
275 	smb_sid_t *owner_sid;
276 
277 	if (token->tkn_flags & SMB_ATF_ADMIN) {
278 		owner_sid = smb_wka_get_sid("Administrators");
279 		assert(owner_sid);
280 	} else {
281 		owner_sid = token->tkn_user->i_sid;
282 	}
283 
284 	token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
285 #endif
286 	token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
287 }
288 
289 static smb_privset_t *
290 smb_token_create_privs(smb_token_t *token)
291 {
292 	smb_privset_t *privs;
293 	smb_giter_t gi;
294 	smb_group_t grp;
295 	int rc;
296 
297 	privs = smb_privset_new();
298 	if (privs == NULL)
299 		return (NULL);
300 
301 	if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
302 		smb_privset_free(privs);
303 		return (NULL);
304 	}
305 
306 	while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
307 		if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
308 			smb_privset_merge(privs, grp.sg_privs);
309 		smb_lgrp_free(&grp);
310 	}
311 	smb_lgrp_iterclose(&gi);
312 
313 	if (token->tkn_flags & SMB_ATF_ADMIN) {
314 		rc = smb_lgrp_getbyname("Administrators", &grp);
315 		if (rc == SMB_LGRP_SUCCESS) {
316 			smb_privset_merge(privs, grp.sg_privs);
317 			smb_lgrp_free(&grp);
318 		}
319 
320 		/*
321 		 * This privilege is required to view/edit SACL
322 		 */
323 		smb_privset_enable(privs, SE_SECURITY_LUID);
324 	}
325 
326 	return (privs);
327 }
328 
329 static void
330 smb_token_set_flags(smb_token_t *token)
331 {
332 	if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
333 		token->tkn_flags |= SMB_ATF_ADMIN;
334 
335 	if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
336 		token->tkn_flags |= SMB_ATF_POWERUSER;
337 
338 	if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
339 		token->tkn_flags |= SMB_ATF_BACKUPOP;
340 }
341 
342 /*
343  * Common token setup for both local and domain users.
344  * This function must be called after the initial setup
345  * has been done.
346  *
347  * Note that the order of calls in this function are important.
348  */
349 static boolean_t
350 smb_token_setup_common(smb_token_t *token)
351 {
352 	smb_token_set_flags(token);
353 
354 	smb_token_set_owner(token);
355 	if (token->tkn_owner.i_sid == NULL)
356 		return (B_FALSE);
357 
358 	/* Privileges */
359 	token->tkn_privileges = smb_token_create_privs(token);
360 	if (token->tkn_privileges == NULL)
361 		return (B_FALSE);
362 
363 	if (smb_token_sids2ids(token) != 0) {
364 		syslog(LOG_ERR, "%s\\%s: idmap failed",
365 		    token->tkn_domain_name, token->tkn_account_name);
366 		return (B_FALSE);
367 	}
368 
369 	/* Solaris Groups */
370 	token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
371 
372 	return (smb_token_valid(token));
373 }
374 
375 uint32_t
376 smb_logon_init(void)
377 {
378 	uint32_t status;
379 
380 	(void) rw_wrlock(&smb_logoninit_rwl);
381 	status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
382 	if (status != NT_STATUS_SUCCESS) {
383 		(void) rw_unlock(&smb_logoninit_rwl);
384 		return (status);
385 	}
386 
387 	status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
388 	    &smb_domusers);
389 	if (status != NT_STATUS_SUCCESS) {
390 		smb_account_free(&smb_guest);
391 		bzero(&smb_guest, sizeof (smb_account_t));
392 		(void) rw_unlock(&smb_logoninit_rwl);
393 		return (status);
394 	}
395 
396 	(void) rw_unlock(&smb_logoninit_rwl);
397 	return (status);
398 }
399 
400 void
401 smb_logon_fini(void)
402 {
403 	(void) rw_wrlock(&smb_logoninit_rwl);
404 	smb_account_free(&smb_guest);
405 	smb_account_free(&smb_domusers);
406 	bzero(&smb_guest, sizeof (smb_account_t));
407 	bzero(&smb_domusers, sizeof (smb_account_t));
408 	(void) rw_unlock(&smb_logoninit_rwl);
409 }
410 
411 /*
412  * Perform user authentication.
413  *
414  * The dispatched functions must only update the user_info status if they
415  * attempt to authenticate the user.
416  *
417  * On success, a pointer to a new access token is returned.
418  */
419 smb_token_t *
420 smb_logon(smb_logon_t *user_info)
421 {
422 	static smb_logonop_t	ops[] = {
423 		smb_logon_anon,
424 		smb_logon_local,
425 		smb_logon_domain,
426 		smb_logon_guest
427 	};
428 	smb_token_t		*token = NULL;
429 	smb_domain_t		domain;
430 	int			n_op = (sizeof (ops) / sizeof (ops[0]));
431 	int			i;
432 
433 	user_info->lg_secmode = smb_config_get_secmode();
434 	user_info->lg_status = NT_STATUS_NO_SUCH_USER;
435 
436 	if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
437 		user_info->lg_domain_type = domain.di_type;
438 	else
439 		user_info->lg_domain_type = SMB_DOMAIN_NULL;
440 
441 	if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
442 		syslog(LOG_ERR, "logon[%s\\%s]: %m",
443 		    user_info->lg_e_domain, user_info->lg_e_username);
444 		return (NULL);
445 	}
446 
447 	for (i = 0; i < n_op; ++i) {
448 		(*ops[i])(user_info, token);
449 
450 		if (user_info->lg_status == NT_STATUS_SUCCESS)
451 			break;
452 	}
453 
454 	if (user_info->lg_status == NT_STATUS_SUCCESS) {
455 		if (smb_token_setup_common(token))
456 			return (token);
457 	}
458 
459 	smb_token_destroy(token);
460 	return (NULL);
461 }
462 
463 /*
464  * If the user has an entry in the local database, attempt local authentication.
465  *
466  * In domain mode, we try to exclude domain accounts, which we do by only
467  * accepting local or null (blank) domain names here.  Some clients (Mac OS)
468  * don't always send the domain name.
469  *
470  * If we are not going to attempt authentication, this function must return
471  * without updating the status.
472  */
473 static void
474 smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
475 {
476 	char guest[SMB_USERNAME_MAXLEN];
477 	smb_passwd_t smbpw;
478 	uint32_t status;
479 	boolean_t isguest;
480 
481 	if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
482 		if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
483 		    (user_info->lg_domain_type != SMB_DOMAIN_NULL))
484 			return;
485 	}
486 
487 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
488 	isguest = (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0);
489 
490 	status = smb_token_auth_local(user_info, token, &smbpw);
491 	if (status == NT_STATUS_SUCCESS) {
492 		if (isguest)
493 			status = smb_token_setup_guest(user_info, token);
494 		else
495 			status = smb_token_setup_local(&smbpw, token);
496 	}
497 
498 	user_info->lg_status = status;
499 }
500 
501 /*
502  * Guest authentication.  This may be a local guest account or the guest
503  * account may be mapped to a local account.  These accounts are regular
504  * accounts with normal password protection.
505  *
506  * Only proceed with a guest logon if previous logon options have resulted
507  * in NO_SUCH_USER.
508  *
509  * If we are not going to attempt authentication, this function must return
510  * without updating the status.
511  */
512 static void
513 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
514 {
515 	char guest[SMB_USERNAME_MAXLEN];
516 	smb_passwd_t smbpw;
517 	char *temp;
518 	uint32_t status;
519 
520 	if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
521 		return;
522 
523 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
524 	temp = user_info->lg_e_username;
525 	user_info->lg_e_username = guest;
526 
527 	status = smb_token_auth_local(user_info, token, &smbpw);
528 	if ((status == NT_STATUS_SUCCESS) ||
529 	    (status == NT_STATUS_NO_SUCH_USER)) {
530 		status = smb_token_setup_guest(user_info, token);
531 	}
532 
533 	user_info->lg_e_username = temp;
534 	user_info->lg_status = status;
535 }
536 
537 /*
538  * If user_info represents an anonymous user then setup the token.
539  * Otherwise return without updating the status.
540  */
541 static void
542 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
543 {
544 	if (user_info->lg_flags & SMB_ATF_ANON)
545 		user_info->lg_status = smb_token_setup_anon(token);
546 }
547 
548 /*
549  * Try both LM hash and NT hashes with user's password(s) to authenticate
550  * the user.
551  */
552 static uint32_t
553 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
554     smb_passwd_t *smbpw)
555 {
556 	boolean_t lm_ok, nt_ok;
557 	uint32_t status = NT_STATUS_SUCCESS;
558 
559 	if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
560 		return (NT_STATUS_NO_SUCH_USER);
561 
562 	if (smbpw->pw_flags & SMB_PWF_DISABLE)
563 		return (NT_STATUS_ACCOUNT_DISABLED);
564 
565 	nt_ok = lm_ok = B_FALSE;
566 	if ((smbpw->pw_flags & SMB_PWF_LM) &&
567 	    (user_info->lg_lm_password.len != 0)) {
568 		lm_ok = smb_auth_validate_lm(
569 		    user_info->lg_challenge_key.val,
570 		    user_info->lg_challenge_key.len,
571 		    smbpw,
572 		    user_info->lg_lm_password.val,
573 		    user_info->lg_lm_password.len,
574 		    user_info->lg_domain,
575 		    user_info->lg_username);
576 		token->tkn_session_key = NULL;
577 	}
578 
579 	if (!lm_ok && (user_info->lg_nt_password.len != 0)) {
580 		token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ);
581 		if (token->tkn_session_key == NULL)
582 			return (NT_STATUS_NO_MEMORY);
583 		nt_ok = smb_auth_validate_nt(
584 		    user_info->lg_challenge_key.val,
585 		    user_info->lg_challenge_key.len,
586 		    smbpw,
587 		    user_info->lg_nt_password.val,
588 		    user_info->lg_nt_password.len,
589 		    user_info->lg_domain,
590 		    user_info->lg_username,
591 		    (uchar_t *)token->tkn_session_key);
592 	}
593 
594 	if (!nt_ok && !lm_ok) {
595 		status = NT_STATUS_WRONG_PASSWORD;
596 		syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
597 		    user_info->lg_e_domain, user_info->lg_e_username,
598 		    xlate_nt_status(status));
599 	}
600 
601 	return (status);
602 }
603 
604 /*
605  * Setup an access token for the specified local user.
606  */
607 static uint32_t
608 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
609 {
610 	idmap_stat stat;
611 	smb_idmap_batch_t sib;
612 	smb_idmap_t *umap, *gmap;
613 	struct passwd pw;
614 	char pwbuf[1024];
615 	char nbname[NETBIOS_NAME_SZ];
616 
617 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
618 	token->tkn_account_name = strdup(smbpw->pw_name);
619 	token->tkn_domain_name = strdup(nbname);
620 
621 	if (token->tkn_account_name == NULL ||
622 	    token->tkn_domain_name == NULL)
623 		return (NT_STATUS_NO_MEMORY);
624 
625 	if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
626 		return (NT_STATUS_NO_SUCH_USER);
627 
628 	/* Get the SID for user's uid & gid */
629 	stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
630 	if (stat != IDMAP_SUCCESS)
631 		return (NT_STATUS_INTERNAL_ERROR);
632 
633 	umap = &sib.sib_maps[0];
634 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
635 	    SMB_IDMAP_USER);
636 
637 	if (stat != IDMAP_SUCCESS) {
638 		smb_idmap_batch_destroy(&sib);
639 		return (NT_STATUS_INTERNAL_ERROR);
640 	}
641 
642 	gmap = &sib.sib_maps[1];
643 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
644 	    SMB_IDMAP_GROUP);
645 
646 	if (stat != IDMAP_SUCCESS) {
647 		smb_idmap_batch_destroy(&sib);
648 		return (NT_STATUS_INTERNAL_ERROR);
649 	}
650 
651 	if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
652 		return (NT_STATUS_INTERNAL_ERROR);
653 
654 	token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
655 	token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
656 
657 	smb_idmap_batch_destroy(&sib);
658 
659 	if (token->tkn_user.i_sid == NULL ||
660 	    token->tkn_primary_grp.i_sid == NULL)
661 		return (NT_STATUS_NO_MEMORY);
662 
663 	return (smb_token_setup_wingrps(token));
664 }
665 
666 /*
667  * Setup access token for guest connections
668  */
669 static uint32_t
670 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
671 {
672 	token->tkn_account_name = strdup(user_info->lg_e_username);
673 
674 	(void) rw_rdlock(&smb_logoninit_rwl);
675 	token->tkn_domain_name = strdup(smb_guest.a_domain);
676 	token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
677 	token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
678 	(void) rw_unlock(&smb_logoninit_rwl);
679 	token->tkn_flags = SMB_ATF_GUEST;
680 
681 	if (token->tkn_account_name == NULL ||
682 	    token->tkn_domain_name == NULL ||
683 	    token->tkn_user.i_sid == NULL ||
684 	    token->tkn_primary_grp.i_sid == NULL)
685 		return (NT_STATUS_NO_MEMORY);
686 
687 	return (smb_token_setup_wingrps(token));
688 }
689 
690 /*
691  * Setup access token for anonymous connections
692  */
693 static uint32_t
694 smb_token_setup_anon(smb_token_t *token)
695 {
696 	smb_sid_t *user_sid;
697 
698 	token->tkn_account_name = strdup("Anonymous");
699 	token->tkn_domain_name = strdup("NT Authority");
700 	user_sid = smb_wka_get_sid("Anonymous");
701 	token->tkn_user.i_sid = smb_sid_dup(user_sid);
702 	token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
703 	token->tkn_flags = SMB_ATF_ANON;
704 
705 	if (token->tkn_account_name == NULL ||
706 	    token->tkn_domain_name == NULL ||
707 	    token->tkn_user.i_sid == NULL ||
708 	    token->tkn_primary_grp.i_sid == NULL)
709 		return (NT_STATUS_NO_MEMORY);
710 
711 	return (smb_token_setup_wingrps(token));
712 }
713 
714 /*
715  * smb_token_user_sid
716  *
717  * Return a pointer to the user SID in the specified token. A null
718  * pointer indicates an error.
719  */
720 static smb_sid_t *
721 smb_token_user_sid(smb_token_t *token)
722 {
723 	return ((token) ? token->tkn_user.i_sid : NULL);
724 }
725 
726 /*
727  * smb_token_group_sid
728  *
729  * Return a pointer to the group SID as indicated by the iterator.
730  * Setting the iterator to 0 before calling this function will return
731  * the first group, which will always be the primary group. The
732  * iterator will be incremented before returning the SID so that this
733  * function can be used to cycle through the groups. The caller can
734  * adjust the iterator as required between calls to obtain any specific
735  * group.
736  *
737  * On success a pointer to the appropriate group SID will be returned.
738  * Otherwise a null pointer will be returned.
739  */
740 static smb_sid_t *
741 smb_token_group_sid(smb_token_t *token, int *iterator)
742 {
743 	int index;
744 
745 	if (token == NULL || iterator == NULL)
746 		return (NULL);
747 
748 	if (token->tkn_win_grps.i_ids == NULL)
749 		return (NULL);
750 
751 	index = *iterator;
752 
753 	if (index < 0 || index >= token->tkn_win_grps.i_cnt)
754 		return (NULL);
755 
756 	++(*iterator);
757 	return (token->tkn_win_grps.i_ids[index].i_sid);
758 }
759 
760 /*
761  * smb_token_is_member
762  *
763  * This function will determine whether or not the specified SID is a
764  * member of a token. The user SID and all group SIDs are tested.
765  * Returns 1 if the SID is a member of the token. Otherwise returns 0.
766  */
767 static boolean_t
768 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
769 {
770 	smb_sid_t *tsid;
771 	int iterator = 0;
772 
773 	if (token == NULL || sid == NULL)
774 		return (B_FALSE);
775 
776 	tsid = smb_token_user_sid(token);
777 	while (tsid) {
778 		if (smb_sid_cmp(tsid, sid))
779 			return (B_TRUE);
780 
781 		tsid = smb_token_group_sid(token, &iterator);
782 	}
783 
784 	return (B_FALSE);
785 }
786 
787 /*
788  * smb_token_log
789  *
790  * Diagnostic routine to write the contents of a token to the log.
791  */
792 void
793 smb_token_log(smb_token_t *token)
794 {
795 	smb_ids_t *w_grps;
796 	smb_id_t *grp;
797 	smb_posix_grps_t *x_grps;
798 	char sidstr[SMB_SID_STRSZ];
799 	int i;
800 
801 	if (token == NULL)
802 		return;
803 
804 	syslog(LOG_DEBUG, "Token for %s\\%s",
805 	    (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
806 	    (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
807 
808 	syslog(LOG_DEBUG, "   User->Attr: %d", token->tkn_user.i_attrs);
809 	smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
810 	syslog(LOG_DEBUG, "   User->Sid: %s (id=%u)", sidstr,
811 	    token->tkn_user.i_id);
812 
813 	smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
814 	syslog(LOG_DEBUG, "   Ownr->Sid: %s (id=%u)",
815 	    sidstr, token->tkn_owner.i_id);
816 
817 	smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
818 	syslog(LOG_DEBUG, "   PGrp->Sid: %s (id=%u)",
819 	    sidstr, token->tkn_primary_grp.i_id);
820 
821 	w_grps = &token->tkn_win_grps;
822 	if (w_grps->i_ids) {
823 		syslog(LOG_DEBUG, "   Windows groups: %d", w_grps->i_cnt);
824 		grp = w_grps->i_ids;
825 		for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
826 			syslog(LOG_DEBUG,
827 			    "    Grp[%d].Attr:%d", i, grp->i_attrs);
828 			if (grp->i_sid != NULL) {
829 				smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
830 				syslog(LOG_DEBUG,
831 				    "    Grp[%d].Sid: %s (id=%u)", i, sidstr,
832 				    grp->i_id);
833 			}
834 		}
835 	} else {
836 		syslog(LOG_DEBUG, "   No Windows groups");
837 	}
838 
839 	x_grps = token->tkn_posix_grps;
840 	if (x_grps) {
841 		syslog(LOG_DEBUG, "   Solaris groups: %d", x_grps->pg_ngrps);
842 		for (i = 0; i < x_grps->pg_ngrps; i++)
843 			syslog(LOG_DEBUG, "    %u", x_grps->pg_grps[i]);
844 	} else {
845 		syslog(LOG_DEBUG, "   No Solaris groups");
846 	}
847 
848 	if (token->tkn_privileges)
849 		smb_privset_log(token->tkn_privileges);
850 	else
851 		syslog(LOG_DEBUG, "   No privileges");
852 }
853 
854 /*
855  * Sets up local and well-known group membership for the given
856  * token. Two assumptions have been made here:
857  *
858  *   a) token already contains a valid user SID so that group
859  *      memberships can be established
860  *
861  *   b) token belongs to a local or anonymous user
862  */
863 static uint32_t
864 smb_token_setup_wingrps(smb_token_t *token)
865 {
866 	smb_ids_t tkn_grps;
867 	uint32_t status;
868 
869 
870 	/*
871 	 * We always want the user's primary group in the list
872 	 * of groups.
873 	 */
874 	tkn_grps.i_cnt = 1;
875 	if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
876 		return (NT_STATUS_NO_MEMORY);
877 
878 	tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
879 	tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
880 	if (tkn_grps.i_ids->i_sid == NULL) {
881 		smb_ids_free(&tkn_grps);
882 		return (NT_STATUS_NO_MEMORY);
883 	}
884 
885 	status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
886 	if (status != NT_STATUS_SUCCESS) {
887 		smb_ids_free(&tkn_grps);
888 		return (status);
889 	}
890 
891 	status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
892 	if (status != NT_STATUS_SUCCESS) {
893 		smb_ids_free(&tkn_grps);
894 		return (status);
895 	}
896 
897 	token->tkn_win_grps = tkn_grps;
898 	return (status);
899 }
900 
901 /*
902  * Returns the guest account name in the provided buffer.
903  *
904  * By default the name would be "guest" unless there's
905  * a idmap name-based rule which maps the guest to a local
906  * Solaris user in which case the name of that user is
907  * returned.
908  */
909 static void
910 smb_guest_account(char *guest, size_t buflen)
911 {
912 	idmap_stat stat;
913 	uid_t guest_uid;
914 	struct passwd pw;
915 	char pwbuf[1024];
916 	int idtype;
917 
918 	/* default Guest account name */
919 	(void) rw_rdlock(&smb_logoninit_rwl);
920 	(void) strlcpy(guest, smb_guest.a_name, buflen);
921 
922 	idtype = SMB_IDMAP_USER;
923 	stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
924 	(void) rw_unlock(&smb_logoninit_rwl);
925 
926 	if (stat != IDMAP_SUCCESS)
927 		return;
928 
929 	/* If Ephemeral ID return the default name */
930 	if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
931 		return;
932 
933 	if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
934 		return;
935 
936 	(void) strlcpy(guest, pw.pw_name, buflen);
937 }
938