xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_user.c (revision dd72704bd9e794056c558153663c739e2012d721)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
24  * Copyright (c) 2016 by Delphix. All rights reserved.
25  */
26 
27 /*
28  * General Structures Layout
29  * -------------------------
30  *
31  * This is a simplified diagram showing the relationship between most of the
32  * main structures.
33  *
34  * +-------------------+
35  * |     SMB_INFO      |
36  * +-------------------+
37  *          |
38  *          |
39  *          v
40  * +-------------------+       +-------------------+      +-------------------+
41  * |     SESSION       |<----->|     SESSION       |......|      SESSION      |
42  * +-------------------+       +-------------------+      +-------------------+
43  *   |          |
44  *   |          |
45  *   |          v
46  *   |  +-------------------+     +-------------------+   +-------------------+
47  *   |  |       USER        |<--->|       USER        |...|       USER        |
48  *   |  +-------------------+     +-------------------+   +-------------------+
49  *   |
50  *   |
51  *   v
52  * +-------------------+       +-------------------+      +-------------------+
53  * |       TREE        |<----->|       TREE        |......|       TREE        |
54  * +-------------------+       +-------------------+      +-------------------+
55  *      |         |
56  *      |         |
57  *      |         v
58  *      |     +-------+       +-------+      +-------+
59  *      |     | OFILE |<----->| OFILE |......| OFILE |
60  *      |     +-------+       +-------+      +-------+
61  *      |
62  *      |
63  *      v
64  *  +-------+       +------+      +------+
65  *  | ODIR  |<----->| ODIR |......| ODIR |
66  *  +-------+       +------+      +------+
67  *
68  *
69  * User State Machine
70  * ------------------
71  *
72  *
73  *		    | T0:  Creation/Allocation
74  *		    |	   (1st session setup)
75  *		    v
76  *    +-----------------------------+
77  *    |  SMB_USER_STATE_LOGGING_ON  |<----------+
78  *    +-----------------------------+	 addl. session setup
79  *		    |		|	(more proc. required)
80  *		    | T2	|		^
81  *		    |		|		| T1: (cont.)
82  *		    |		+------->-------?
83  *		    v				| T3: (fail)
84  *    +-----------------------------+		v
85  *    |  SMB_USER_STATE_LOGGED_ON   |	    (logged off)
86  *    +-----------------------------+
87  *		    |
88  *		    | T4
89  *		    |
90  *		    v
91  *    +-----------------------------+
92  *    |  SMB_USER_STATE_LOGGING_OFF |
93  *    +-----------------------------+
94  *		    |
95  *		    | T5
96  *		    |
97  *		    v
98  *    +-----------------------------+    T6
99  *    |  SMB_USER_STATE_LOGGED_OFF  |----------> Deletion/Free
100  *    +-----------------------------+
101  *
102  * SMB_USER_STATE_LOGGING_ON
103  *
104  *    While in this state:
105  *      - The user is in the list of users for their session.
106  *      - References will be given out ONLY for session setup.
107  *      - This user can not access anything yet.
108  *
109  * SMB_USER_STATE_LOGGED_ON
110  *
111  *    While in this state:
112  *      - The user is in the list of users for their session.
113  *      - References will be given out if the user is looked up.
114  *      - The user can access files and pipes.
115  *
116  * SMB_USER_STATE_LOGGING_OFF
117  *
118  *    While in this state:
119  *      - The user is in the list of users for their session.
120  *      - References will not be given out if the user is looked up.
121  *      - The trees the user connected are being disconnected.
122  *      - The resources associated with the user remain.
123  *
124  * SMB_USER_STATE_LOGGED_OFF
125  *
126  *    While in this state:
127  *      - The user is queued in the list of users of their session.
128  *      - References will not be given out if the user is looked up.
129  *      - The user has no more trees connected.
130  *      - The resources associated with the user remain.
131  *
132  * Transition T0
133  *
134  *    First request in an SMB Session Setup sequence creates a
135  *    new user object and adds it to the list of users for
136  *    this session.  User UID is assigned and returned.
137  *
138  * Transition T1
139  *
140  *    Subsequent SMB Session Setup requests (on the same UID
141  *    assigned in T0) update the state of this user object,
142  *    communicating with smbd for the crypto work.
143  *
144  * Transition T2
145  *
146  *    If the SMB Session Setup sequence is successful, T2
147  *    makes the new user object available for requests.
148  *
149  * Transition T3
150  *
151  *    If an Session Setup request gets an error other than
152  *    the expected "more processing required", then T3
153  *    leads to state "LOGGED_OFF" and then tear-down of the
154  *    partially constructed user.
155  *
156  * Transition T4
157  *
158  *    Normal SMB User Logoff request, or session tear-down.
159  *
160  * Transition T5
161  *
162  *    This transition occurs in smb_user_release(). The resources associated
163  *    with the user are deleted as well as the user. For the transition to
164  *    occur, the user must be in the SMB_USER_STATE_LOGGED_OFF state and the
165  *    reference count be zero.
166  *
167  * Comments
168  * --------
169  *
170  *    The state machine of the user structures is controlled by 3 elements:
171  *      - The list of users of the session they belong to.
172  *      - The mutex embedded in the structure itself.
173  *      - The reference count.
174  *
175  *    There's a mutex embedded in the user structure used to protect its fields
176  *    and there's a lock embedded in the list of users of a session. To
177  *    increment or to decrement the reference count the mutex must be entered.
178  *    To insert the user into the list of users of the session and to remove
179  *    the user from it, the lock must be entered in RW_WRITER mode.
180  *
181  *    Rules of access to a user structure:
182  *
183  *    1) In order to avoid deadlocks, when both (mutex and lock of the session
184  *       list) have to be entered, the lock must be entered first. Additionally,
185  *       one may NOT flush the deleteq of either the tree list or the ofile list
186  *       while the user mutex is held.
187  *
188  *    2) All actions applied to a user require a reference count.
189  *
190  *    3) There are 2 ways of getting a reference count. One is when the user
191  *       logs in. The other when the user is looked up.
192  *
193  *    It should be noted that the reference count of a user registers the
194  *    number of references to the user in other structures (such as an smb
195  *    request). The reference count is not incremented in these 2 instances:
196  *
197  *    1) The user is logged in. An user is anchored by their state. If there's
198  *       no activity involving a user currently logged in, the reference
199  *       count of that user is zero.
200  *
201  *    2) The user is queued in the list of users of the session. The fact of
202  *       being queued in that list is NOT registered by incrementing the
203  *       reference count.
204  */
205 #include <sys/types.h>
206 #include <sys/sid.h>
207 #include <sys/priv_names.h>
208 #include <sys/priv.h>
209 #include <sys/policy.h>
210 #include <smbsrv/smb_kproto.h>
211 #include <smbsrv/smb_door.h>
212 
213 #define	ADMINISTRATORS_SID	"S-1-5-32-544"
214 
215 /* Don't leak object addresses */
216 #define	SMB_USER_SSNID(u) \
217 	((uintptr_t)&smb_cache_user ^ (uintptr_t)(u))
218 
219 static void smb_user_delete(void *);
220 static int smb_user_enum_private(smb_user_t *, smb_svcenum_t *);
221 static void smb_user_auth_logoff(smb_user_t *);
222 static void smb_user_logoff_tq(void *);
223 
224 /*
225  * Create a new user.
226  *
227  * For SMB2 and later, session IDs (u_ssnid) need to be unique among all
228  * current and "recent" sessions.  The session ID is derived from the
229  * address of the smb_user object (obscured by XOR with a constant).
230  * This adds a 3-bit generation number in the low bits, incremented
231  * when we allocate an smb_user_t from its kmem cache, so it can't
232  * be confused with a (recent) previous incarnation of this object.
233  */
234 smb_user_t *
235 smb_user_new(smb_session_t *session)
236 {
237 	smb_user_t	*user;
238 	uint_t		gen;	// generation (low 3 bits of ssnid)
239 	uint32_t	ucount;
240 
241 	ASSERT(session);
242 	ASSERT(session->s_magic == SMB_SESSION_MAGIC);
243 
244 	user = kmem_cache_alloc(smb_cache_user, KM_SLEEP);
245 	gen = (user->u_ssnid + 1) & 7;
246 	bzero(user, sizeof (smb_user_t));
247 
248 	user->u_refcnt = 1;
249 	user->u_session = session;
250 	user->u_server = session->s_server;
251 	user->u_logon_time = gethrestime_sec();
252 
253 	if (smb_idpool_alloc(&session->s_uid_pool, &user->u_uid))
254 		goto errout;
255 	user->u_ssnid = SMB_USER_SSNID(user) + gen;
256 
257 	mutex_init(&user->u_mutex, NULL, MUTEX_DEFAULT, NULL);
258 	user->u_state = SMB_USER_STATE_LOGGING_ON;
259 	user->u_magic = SMB_USER_MAGIC;
260 
261 	smb_llist_enter(&session->s_user_list, RW_WRITER);
262 	ucount = smb_llist_get_count(&session->s_user_list);
263 	smb_llist_insert_tail(&session->s_user_list, user);
264 	smb_llist_exit(&session->s_user_list);
265 	smb_server_inc_users(session->s_server);
266 
267 	/*
268 	 * If we added the first user to the session, cancel the
269 	 * timeout that was started in smb_session_receiver().
270 	 */
271 	if (ucount == 0) {
272 		timeout_id_t tmo = NULL;
273 
274 		smb_rwx_rwenter(&session->s_lock, RW_WRITER);
275 		tmo = session->s_auth_tmo;
276 		session->s_auth_tmo = NULL;
277 		smb_rwx_rwexit(&session->s_lock);
278 
279 		if (tmo != NULL)
280 			(void) untimeout(tmo);
281 	}
282 
283 	return (user);
284 
285 errout:
286 	if (user->u_uid != 0)
287 		smb_idpool_free(&session->s_uid_pool, user->u_uid);
288 	kmem_cache_free(smb_cache_user, user);
289 	return (NULL);
290 }
291 
292 /*
293  * Fill in the details of a user, meaning a transition
294  * from state LOGGING_ON to state LOGGED_ON.
295  */
296 int
297 smb_user_logon(
298     smb_user_t		*user,
299     cred_t		*cr,
300     char		*domain_name,
301     char		*account_name,
302     uint32_t		flags,
303     uint32_t		privileges,
304     uint32_t		audit_sid)
305 {
306 	ksocket_t authsock = NULL;
307 	timeout_id_t tmo = NULL;
308 
309 	ASSERT(user->u_magic == SMB_USER_MAGIC);
310 	ASSERT(cr);
311 	ASSERT(account_name);
312 	ASSERT(domain_name);
313 
314 	mutex_enter(&user->u_mutex);
315 
316 	if (user->u_state != SMB_USER_STATE_LOGGING_ON) {
317 		mutex_exit(&user->u_mutex);
318 		return (-1);
319 	}
320 
321 	/*
322 	 * In the transition from LOGGING_ON to LOGGED_ON,
323 	 * we always have an auth. socket to close.
324 	 */
325 	authsock = user->u_authsock;
326 	user->u_authsock = NULL;
327 	tmo = user->u_auth_tmo;
328 	user->u_auth_tmo = NULL;
329 
330 	user->u_state = SMB_USER_STATE_LOGGED_ON;
331 	user->u_flags = flags;
332 	user->u_name_len = strlen(account_name) + 1;
333 	user->u_domain_len = strlen(domain_name) + 1;
334 	user->u_name = smb_mem_strdup(account_name);
335 	user->u_domain = smb_mem_strdup(domain_name);
336 	user->u_audit_sid = audit_sid;
337 
338 	smb_user_setcred(user, cr, privileges);
339 
340 	mutex_exit(&user->u_mutex);
341 
342 	/* Timeout callback takes u_mutex. See untimeout(9f) */
343 	if (tmo != NULL)
344 		(void) untimeout(tmo);
345 
346 	/* This close can block, so not under the mutex. */
347 	if (authsock != NULL)
348 		smb_authsock_close(user, authsock);
349 
350 	return (0);
351 }
352 
353 /*
354  * smb_user_logoff
355  *
356  * Change the user state to "logging off" and disconnect trees.
357  * The user list must not be entered or modified here.
358  *
359  * We remain in state "logging off" until the last ref. is gone,
360  * then smb_user_release takes us to state "logged off".
361  */
362 void
363 smb_user_logoff(
364     smb_user_t		*user)
365 {
366 	ksocket_t authsock = NULL;
367 	timeout_id_t tmo = NULL;
368 
369 	ASSERT(user->u_magic == SMB_USER_MAGIC);
370 
371 	mutex_enter(&user->u_mutex);
372 	ASSERT(user->u_refcnt);
373 	switch (user->u_state) {
374 	case SMB_USER_STATE_LOGGING_ON:
375 		authsock = user->u_authsock;
376 		user->u_authsock = NULL;
377 		tmo = user->u_auth_tmo;
378 		user->u_auth_tmo = NULL;
379 		user->u_state = SMB_USER_STATE_LOGGING_OFF;
380 		mutex_exit(&user->u_mutex);
381 
382 		/* Timeout callback takes u_mutex. See untimeout(9f) */
383 		if (tmo != NULL)
384 			(void) untimeout(tmo);
385 		/* This close can block, so not under the mutex. */
386 		if (authsock != NULL)
387 			smb_authsock_close(user, authsock);
388 		break;
389 
390 	case SMB_USER_STATE_LOGGED_ON:
391 		/*
392 		 * The user is moved into a state indicating that the log off
393 		 * process has started.
394 		 */
395 		user->u_state = SMB_USER_STATE_LOGGING_OFF;
396 		mutex_exit(&user->u_mutex);
397 		smb_session_disconnect_owned_trees(user->u_session, user);
398 		smb_user_auth_logoff(user);
399 		break;
400 
401 	case SMB_USER_STATE_LOGGED_OFF:
402 	case SMB_USER_STATE_LOGGING_OFF:
403 		mutex_exit(&user->u_mutex);
404 		break;
405 
406 	default:
407 		ASSERT(0);
408 		mutex_exit(&user->u_mutex);
409 		break;
410 	}
411 }
412 
413 /*
414  * Take a reference on a user.  Do not return a reference unless the user is in
415  * the logged-in state.
416  */
417 boolean_t
418 smb_user_hold(smb_user_t *user)
419 {
420 	SMB_USER_VALID(user);
421 
422 	mutex_enter(&user->u_mutex);
423 
424 	if (user->u_state == SMB_USER_STATE_LOGGED_ON) {
425 		user->u_refcnt++;
426 		mutex_exit(&user->u_mutex);
427 		return (B_TRUE);
428 	}
429 
430 	mutex_exit(&user->u_mutex);
431 	return (B_FALSE);
432 }
433 
434 /*
435  * Unconditionally take a reference on a user.
436  */
437 void
438 smb_user_hold_internal(smb_user_t *user)
439 {
440 	SMB_USER_VALID(user);
441 
442 	mutex_enter(&user->u_mutex);
443 	user->u_refcnt++;
444 	mutex_exit(&user->u_mutex);
445 }
446 
447 /*
448  * Release a reference on a user.  If the reference count falls to
449  * zero and the user has logged off, post the object for deletion.
450  * Object deletion is deferred to avoid modifying a list while an
451  * iteration may be in progress.
452  */
453 void
454 smb_user_release(
455     smb_user_t		*user)
456 {
457 	smb_session_t *ssn = user->u_session;
458 
459 	SMB_USER_VALID(user);
460 
461 	/* flush the tree list delete queue */
462 	smb_llist_flush(&ssn->s_tree_list);
463 
464 	mutex_enter(&user->u_mutex);
465 	ASSERT(user->u_refcnt);
466 	user->u_refcnt--;
467 
468 	switch (user->u_state) {
469 	case SMB_USER_STATE_LOGGING_OFF:
470 		if (user->u_refcnt == 0) {
471 			smb_session_t *ssn = user->u_session;
472 			user->u_state = SMB_USER_STATE_LOGGED_OFF;
473 			smb_llist_post(&ssn->s_user_list, user,
474 			    smb_user_delete);
475 		}
476 		break;
477 
478 	case SMB_USER_STATE_LOGGING_ON:
479 	case SMB_USER_STATE_LOGGED_ON:
480 		break;
481 
482 	case SMB_USER_STATE_LOGGED_OFF:
483 	default:
484 		ASSERT(0);
485 		break;
486 	}
487 	mutex_exit(&user->u_mutex);
488 }
489 
490 /*
491  * Timeout handler for user logons that stay too long in
492  * state SMB_USER_STATE_LOGGING_ON.  This is setup by a
493  * timeout call in smb_authsock_open, and called in a
494  * callout thread, so schedule a taskq job to do the
495  * real work of logging off this user.
496  */
497 void
498 smb_user_auth_tmo(void *arg)
499 {
500 	smb_user_t *user = arg;
501 	smb_request_t *sr;
502 
503 	SMB_USER_VALID(user);
504 
505 	/*
506 	 * If we can't allocate a request, it means the
507 	 * session is being torn down, so nothing to do.
508 	 */
509 	sr = smb_request_alloc(user->u_session, 0);
510 	if (sr == NULL)
511 		return;
512 
513 	/*
514 	 * Check user state, and take a hold if it's
515 	 * still logging on.  If not, we're done.
516 	 */
517 	mutex_enter(&user->u_mutex);
518 	if (user->u_state != SMB_USER_STATE_LOGGING_ON) {
519 		mutex_exit(&user->u_mutex);
520 		smb_request_free(sr);
521 		return;
522 	}
523 	/* smb_user_hold_internal */
524 	user->u_refcnt++;
525 	mutex_exit(&user->u_mutex);
526 
527 	/*
528 	 * The user hold is given to the SR, and released in
529 	 * smb_user_logoff_tq / smb_request_free
530 	 */
531 	sr->uid_user = user;
532 	sr->user_cr = user->u_cred;
533 	sr->sr_state = SMB_REQ_STATE_SUBMITTED;
534 
535 	(void) taskq_dispatch(
536 	    user->u_server->sv_worker_pool,
537 	    smb_user_logoff_tq, sr, TQ_SLEEP);
538 }
539 
540 /*
541  * Helper for smb_user_auth_tmo()
542  */
543 static void
544 smb_user_logoff_tq(void *arg)
545 {
546 	smb_request_t	*sr = arg;
547 
548 	SMB_REQ_VALID(sr);
549 
550 	mutex_enter(&sr->sr_mutex);
551 	sr->sr_worker = curthread;
552 	sr->sr_state = SMB_REQ_STATE_ACTIVE;
553 	mutex_exit(&sr->sr_mutex);
554 
555 	smb_user_logoff(sr->uid_user);
556 
557 	sr->sr_state = SMB_REQ_STATE_COMPLETED;
558 	smb_request_free(sr);
559 }
560 
561 /*
562  * Determine whether or not the user is an administrator.
563  * Members of the administrators group have administrative rights.
564  */
565 boolean_t
566 smb_user_is_admin(smb_user_t *user)
567 {
568 #ifdef	_KERNEL
569 	char		sidstr[SMB_SID_STRSZ];
570 	ksidlist_t	*ksidlist;
571 	ksid_t		ksid1;
572 	ksid_t		*ksid2;
573 	int		i;
574 #endif	/* _KERNEL */
575 	boolean_t	rc = B_FALSE;
576 
577 	ASSERT(user);
578 	ASSERT(user->u_cred);
579 
580 	if (SMB_USER_IS_ADMIN(user))
581 		return (B_TRUE);
582 
583 #ifdef	_KERNEL
584 	bzero(&ksid1, sizeof (ksid_t));
585 	(void) strlcpy(sidstr, ADMINISTRATORS_SID, SMB_SID_STRSZ);
586 	ASSERT(smb_sid_splitstr(sidstr, &ksid1.ks_rid) == 0);
587 	ksid1.ks_domain = ksid_lookupdomain(sidstr);
588 
589 	ksidlist = crgetsidlist(user->u_cred);
590 	ASSERT(ksidlist);
591 	ASSERT(ksid1.ks_domain);
592 	ASSERT(ksid1.ks_domain->kd_name);
593 
594 	i = 0;
595 	ksid2 = crgetsid(user->u_cred, KSID_USER);
596 	do {
597 		ASSERT(ksid2->ks_domain);
598 		ASSERT(ksid2->ks_domain->kd_name);
599 
600 		if (strcmp(ksid1.ks_domain->kd_name,
601 		    ksid2->ks_domain->kd_name) == 0 &&
602 		    ksid1.ks_rid == ksid2->ks_rid) {
603 			user->u_flags |= SMB_USER_FLAG_ADMIN;
604 			rc = B_TRUE;
605 			break;
606 		}
607 
608 		ksid2 = &ksidlist->ksl_sids[i];
609 	} while (i++ < ksidlist->ksl_nsid);
610 
611 	ksid_rele(&ksid1);
612 #endif	/* _KERNEL */
613 	return (rc);
614 }
615 
616 /*
617  * This function should be called with a hold on the user.
618  */
619 boolean_t
620 smb_user_namecmp(smb_user_t *user, const char *name)
621 {
622 	char		*fq_name;
623 	boolean_t	match;
624 
625 	if (smb_strcasecmp(name, user->u_name, 0) == 0)
626 		return (B_TRUE);
627 
628 	fq_name = kmem_alloc(MAXNAMELEN, KM_SLEEP);
629 
630 	(void) snprintf(fq_name, MAXNAMELEN, "%s\\%s",
631 	    user->u_domain, user->u_name);
632 
633 	match = (smb_strcasecmp(name, fq_name, 0) == 0);
634 	if (!match) {
635 		(void) snprintf(fq_name, MAXNAMELEN, "%s@%s",
636 		    user->u_name, user->u_domain);
637 
638 		match = (smb_strcasecmp(name, fq_name, 0) == 0);
639 	}
640 
641 	kmem_free(fq_name, MAXNAMELEN);
642 	return (match);
643 }
644 
645 /*
646  * If the enumeration request is for user data, handle the request
647  * here.  Otherwise, pass it on to the trees.
648  *
649  * This function should be called with a hold on the user.
650  */
651 int
652 smb_user_enum(smb_user_t *user, smb_svcenum_t *svcenum)
653 {
654 	int		rc = 0;
655 
656 	ASSERT(user);
657 	ASSERT(user->u_magic == SMB_USER_MAGIC);
658 
659 	if (svcenum->se_type == SMB_SVCENUM_TYPE_USER)
660 		return (smb_user_enum_private(user, svcenum));
661 
662 	return (rc);
663 }
664 
665 /*
666  * Count references by trees this user owns,
667  * and allow waiting for them to go away.
668  */
669 void
670 smb_user_inc_trees(smb_user_t *user)
671 {
672 	mutex_enter(&user->u_mutex);
673 	user->u_owned_tree_cnt++;
674 	mutex_exit(&user->u_mutex);
675 }
676 
677 void
678 smb_user_dec_trees(smb_user_t *user)
679 {
680 	mutex_enter(&user->u_mutex);
681 	user->u_owned_tree_cnt--;
682 	if (user->u_owned_tree_cnt == 0)
683 		cv_broadcast(&user->u_owned_tree_cv);
684 	mutex_exit(&user->u_mutex);
685 }
686 
687 int smb_user_wait_tree_tmo = 30;
688 
689 /*
690  * Wait (up to 30 sec.) for trees to go away.
691  * Should happen in less than a second.
692  */
693 void
694 smb_user_wait_trees(smb_user_t *user)
695 {
696 	clock_t	time;
697 
698 	time = SEC_TO_TICK(smb_user_wait_tree_tmo) + ddi_get_lbolt();
699 	mutex_enter(&user->u_mutex);
700 	while (user->u_owned_tree_cnt != 0) {
701 		if (cv_timedwait(&user->u_owned_tree_cv,
702 		    &user->u_mutex, time) < 0)
703 			break;
704 	}
705 	mutex_exit(&user->u_mutex);
706 #ifdef	DEBUG
707 	if (user->u_owned_tree_cnt != 0) {
708 		cmn_err(CE_NOTE, "smb_user_wait_trees failed");
709 		debug_enter("smb_user_wait_trees debug");
710 	}
711 #endif
712 }
713 
714 /* *************************** Static Functions ***************************** */
715 
716 /*
717  * Delete a user.  The tree list should be empty.
718  *
719  * Remove the user from the session's user list before freeing resources
720  * associated with the user.
721  */
722 static void
723 smb_user_delete(void *arg)
724 {
725 	smb_session_t	*session;
726 	smb_user_t	*user = (smb_user_t *)arg;
727 	uint32_t	ucount;
728 
729 	SMB_USER_VALID(user);
730 	ASSERT(user->u_refcnt == 0);
731 	ASSERT(user->u_state == SMB_USER_STATE_LOGGED_OFF);
732 	ASSERT(user->u_authsock == NULL);
733 	ASSERT(user->u_auth_tmo == NULL);
734 
735 	session = user->u_session;
736 
737 	smb_server_dec_users(session->s_server);
738 	smb_llist_enter(&session->s_user_list, RW_WRITER);
739 	smb_llist_remove(&session->s_user_list, user);
740 	smb_idpool_free(&session->s_uid_pool, user->u_uid);
741 	ucount = smb_llist_get_count(&session->s_user_list);
742 	smb_llist_exit(&session->s_user_list);
743 
744 	/*
745 	 * When the last smb_user_t object goes away, schedule a timeout
746 	 * after which we'll terminate this session if the client hasn't
747 	 * authenticated another smb_user_t on this session by then.
748 	 */
749 	if (ucount == 0) {
750 		smb_rwx_rwenter(&session->s_lock, RW_WRITER);
751 		if (session->s_state == SMB_SESSION_STATE_NEGOTIATED &&
752 		    session->s_auth_tmo == NULL) {
753 			session->s_auth_tmo =
754 			    timeout((tmo_func_t)smb_session_disconnect,
755 			    session, SEC_TO_TICK(smb_session_auth_tmo));
756 		}
757 		smb_rwx_cvbcast(&session->s_lock);
758 		smb_rwx_rwexit(&session->s_lock);
759 	}
760 
761 	/*
762 	 * This user is no longer on s_user_list, however...
763 	 *
764 	 * This is called via smb_llist_post, which means it may run
765 	 * BEFORE smb_user_release drops u_mutex (if another thread
766 	 * flushes the delete queue before we do).  Synchronize.
767 	 */
768 	mutex_enter(&user->u_mutex);
769 	mutex_exit(&user->u_mutex);
770 
771 	user->u_magic = (uint32_t)~SMB_USER_MAGIC;
772 	mutex_destroy(&user->u_mutex);
773 	if (user->u_cred)
774 		crfree(user->u_cred);
775 	if (user->u_privcred)
776 		crfree(user->u_privcred);
777 	smb_mem_free(user->u_name);
778 	smb_mem_free(user->u_domain);
779 	kmem_cache_free(smb_cache_user, user);
780 }
781 
782 cred_t *
783 smb_user_getcred(smb_user_t *user)
784 {
785 	return (user->u_cred);
786 }
787 
788 cred_t *
789 smb_user_getprivcred(smb_user_t *user)
790 {
791 	return ((user->u_privcred)? user->u_privcred : user->u_cred);
792 }
793 
794 #ifdef	_KERNEL
795 /*
796  * Assign the user cred and privileges.
797  *
798  * If the user has backup and/or restore privleges, dup the cred
799  * and add those privileges to this new privileged cred.
800  */
801 void
802 smb_user_setcred(smb_user_t *user, cred_t *cr, uint32_t privileges)
803 {
804 	cred_t *privcred = NULL;
805 
806 	ASSERT(cr);
807 	crhold(cr);
808 
809 	/*
810 	 * See smb.4 bypass_traverse_checking
811 	 *
812 	 * For historical reasons, the Windows privilege is named
813 	 * SeChangeNotifyPrivilege, though the description is
814 	 * "Bypass traverse checking".
815 	 */
816 	if ((privileges & SMB_USER_PRIV_CHANGE_NOTIFY) != 0) {
817 		(void) crsetpriv(cr, PRIV_FILE_DAC_SEARCH, NULL);
818 	}
819 
820 	/*
821 	 * Window's "take ownership privilege" is similar to our
822 	 * PRIV_FILE_CHOWN privilege. It's normally given to members of the
823 	 * "Administrators" group, which normally includes the the local
824 	 * Administrator (like root) and when joined to a domain,
825 	 * "Domain Admins".
826 	 */
827 	if ((privileges & SMB_USER_PRIV_TAKE_OWNERSHIP) != 0) {
828 		(void) crsetpriv(cr,
829 		    PRIV_FILE_CHOWN,
830 		    PRIV_FILE_CHOWN_SELF,
831 		    NULL);
832 	}
833 
834 	/*
835 	 * Bypass ACL for READ accesses.
836 	 */
837 	if ((privileges & SMB_USER_PRIV_READ_FILE) != 0) {
838 		(void) crsetpriv(cr, PRIV_FILE_DAC_READ, NULL);
839 	}
840 
841 	/*
842 	 * Bypass ACL for WRITE accesses.
843 	 * Include FILE_OWNER, as it covers WRITE_ACL and DELETE.
844 	 */
845 	if ((privileges & SMB_USER_PRIV_WRITE_FILE) != 0) {
846 		(void) crsetpriv(cr,
847 		    PRIV_FILE_DAC_WRITE,
848 		    PRIV_FILE_OWNER,
849 		    NULL);
850 	}
851 
852 	/*
853 	 * These privileges are used only when a file is opened with
854 	 * 'backup intent'. These allow users to bypass certain access
855 	 * controls. Administrators typically have these privileges,
856 	 * and they are used during recursive take-ownership operations.
857 	 * Some commonly used tools use 'backup intent' to administrate
858 	 * files that do not grant explicit permissions to Administrators.
859 	 */
860 	if (privileges & (SMB_USER_PRIV_BACKUP | SMB_USER_PRIV_RESTORE))
861 		privcred = crdup(cr);
862 
863 	if (privcred != NULL) {
864 		if (privileges & SMB_USER_PRIV_BACKUP) {
865 			(void) crsetpriv(privcred, PRIV_FILE_DAC_READ,
866 			    PRIV_FILE_DAC_SEARCH, PRIV_SYS_MOUNT, NULL);
867 		}
868 
869 		if (privileges & SMB_USER_PRIV_RESTORE) {
870 			(void) crsetpriv(privcred, PRIV_FILE_DAC_WRITE,
871 			    PRIV_FILE_CHOWN, PRIV_FILE_CHOWN_SELF,
872 			    PRIV_FILE_DAC_SEARCH, PRIV_FILE_LINK_ANY,
873 			    PRIV_FILE_OWNER, PRIV_FILE_SETID,
874 			    PRIV_SYS_LINKDIR, PRIV_SYS_MOUNT, NULL);
875 		}
876 	}
877 
878 	user->u_cred = cr;
879 	user->u_privcred = privcred;
880 	user->u_privileges = privileges;
881 }
882 #endif	/* _KERNEL */
883 
884 /*
885  * Determines whether a user can be granted ACCESS_SYSTEM_SECURITY
886  */
887 boolean_t
888 smb_user_has_security_priv(smb_user_t *user, cred_t *cr)
889 {
890 	/* Need SeSecurityPrivilege to get/set SACL */
891 	if ((user->u_privileges & SMB_USER_PRIV_SECURITY) != 0)
892 		return (B_TRUE);
893 
894 #ifdef _KERNEL
895 	/*
896 	 * ACCESS_SYSTEM_SECURITY is also granted if the file is opened with
897 	 * BACKUP/RESTORE intent by a user with BACKUP/RESTORE privilege,
898 	 * which means we'll be using u_privcred.
899 	 *
900 	 * We translate BACKUP as DAC_READ and RESTORE as DAC_WRITE,
901 	 * to account for our various SMB_USER_* privileges.
902 	 */
903 	if (PRIV_POLICY_ONLY(cr,
904 	    priv_getbyname(PRIV_FILE_DAC_READ, 0), B_FALSE) ||
905 	    PRIV_POLICY_ONLY(cr,
906 	    priv_getbyname(PRIV_FILE_DAC_WRITE, 0), B_FALSE))
907 		return (B_TRUE);
908 #else
909 	/*
910 	 * No "real" privileges in fksmbsrv, so use the SMB privs instead.
911 	 */
912 	if ((user->u_privileges &
913 	    (SMB_USER_PRIV_BACKUP |
914 	    SMB_USER_PRIV_RESTORE |
915 	    SMB_USER_PRIV_READ_FILE |
916 	    SMB_USER_PRIV_WRITE_FILE)) != 0)
917 		return (B_TRUE);
918 #endif
919 
920 	return (B_FALSE);
921 }
922 
923 /*
924  * Private function to support smb_user_enum.
925  */
926 static int
927 smb_user_enum_private(smb_user_t *user, smb_svcenum_t *svcenum)
928 {
929 	uint8_t *pb;
930 	uint_t nbytes;
931 	int rc;
932 
933 	if (svcenum->se_nskip > 0) {
934 		svcenum->se_nskip--;
935 		return (0);
936 	}
937 
938 	if (svcenum->se_nitems >= svcenum->se_nlimit) {
939 		svcenum->se_nitems = svcenum->se_nlimit;
940 		return (0);
941 	}
942 
943 	pb = &svcenum->se_buf[svcenum->se_bused];
944 	rc = smb_user_netinfo_encode(user, pb, svcenum->se_bavail, &nbytes);
945 	if (rc == 0) {
946 		svcenum->se_bavail -= nbytes;
947 		svcenum->se_bused += nbytes;
948 		svcenum->se_nitems++;
949 	}
950 
951 	return (rc);
952 }
953 
954 /*
955  * Encode the NetInfo for a user into a buffer.  NetInfo contains
956  * information that is often needed in user space to support RPC
957  * requests.
958  */
959 int
960 smb_user_netinfo_encode(smb_user_t *user, uint8_t *buf, size_t buflen,
961     uint32_t *nbytes)
962 {
963 	smb_netuserinfo_t	info;
964 	int			rc;
965 
966 	smb_user_netinfo_init(user, &info);
967 	rc = smb_netuserinfo_encode(&info, buf, buflen, nbytes);
968 	smb_user_netinfo_fini(&info);
969 
970 	return (rc);
971 }
972 
973 void
974 smb_user_netinfo_init(smb_user_t *user, smb_netuserinfo_t *info)
975 {
976 	smb_session_t	*session;
977 	char		*buf;
978 
979 	ASSERT(user);
980 	ASSERT(user->u_domain);
981 	ASSERT(user->u_name);
982 
983 	session = user->u_session;
984 	ASSERT(session);
985 	ASSERT(session->workstation);
986 
987 	info->ui_session_id = session->s_kid;
988 	info->ui_native_os = session->native_os;
989 	info->ui_ipaddr = session->ipaddr;
990 	info->ui_numopens = session->s_file_cnt;
991 	info->ui_logon_time = user->u_logon_time;
992 	info->ui_flags = user->u_flags;
993 	info->ui_posix_uid = crgetuid(user->u_cred);
994 
995 	info->ui_domain_len = user->u_domain_len;
996 	info->ui_domain = smb_mem_strdup(user->u_domain);
997 
998 	info->ui_account_len = user->u_name_len;
999 	info->ui_account = smb_mem_strdup(user->u_name);
1000 
1001 	buf = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1002 	smb_session_getclient(session, buf, MAXNAMELEN);
1003 	info->ui_workstation_len = strlen(buf) + 1;
1004 	info->ui_workstation = smb_mem_strdup(buf);
1005 	kmem_free(buf, MAXNAMELEN);
1006 }
1007 
1008 void
1009 smb_user_netinfo_fini(smb_netuserinfo_t *info)
1010 {
1011 	if (info == NULL)
1012 		return;
1013 
1014 	if (info->ui_domain)
1015 		smb_mem_free(info->ui_domain);
1016 	if (info->ui_account)
1017 		smb_mem_free(info->ui_account);
1018 	if (info->ui_workstation)
1019 		smb_mem_free(info->ui_workstation);
1020 
1021 	bzero(info, sizeof (smb_netuserinfo_t));
1022 }
1023 
1024 /*
1025  * Tell smbd this user is going away so it can clean up their
1026  * audit session, autohome dir, etc.
1027  *
1028  * Note that when we're shutting down, smbd will already have set
1029  * smbd.s_shutting_down and therefore will ignore door calls.
1030  * Skip this during shutdown to reduce upcall noise.
1031  */
1032 static void
1033 smb_user_auth_logoff(smb_user_t *user)
1034 {
1035 	smb_server_t *sv = user->u_server;
1036 	uint32_t audit_sid;
1037 
1038 	if (sv->sv_state != SMB_SERVER_STATE_RUNNING)
1039 		return;
1040 
1041 	audit_sid = user->u_audit_sid;
1042 	(void) smb_kdoor_upcall(sv, SMB_DR_USER_AUTH_LOGOFF,
1043 	    &audit_sid, xdr_uint32_t, NULL, NULL);
1044 }
1045 
1046 boolean_t
1047 smb_is_same_user(cred_t *cr1, cred_t *cr2)
1048 {
1049 	ksid_t *ks1 = crgetsid(cr1, KSID_USER);
1050 	ksid_t *ks2 = crgetsid(cr2, KSID_USER);
1051 
1052 	if (ks1 == NULL || ks2 == NULL) {
1053 		return (B_FALSE);
1054 	}
1055 	return (ks1->ks_rid == ks2->ks_rid &&
1056 	    strcmp(ks1->ks_domain->kd_name, ks2->ks_domain->kd_name) == 0);
1057 }
1058