1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _SMB_TOKEN_H 27 #define _SMB_TOKEN_H 28 29 #pragma ident "%Z%%M% %I% %E% SMI" 30 31 #include <smbsrv/netrauth.h> 32 #include <smbsrv/smb_privilege.h> 33 34 #ifdef __cplusplus 35 extern "C" { 36 #endif 37 38 /* 39 * User Session Key 40 * 41 * This is part of the MAC key which is required for signing SMB messages. 42 */ 43 typedef struct smb_session_key { 44 uint8_t data[16]; 45 } smb_session_key_t; 46 47 /* 48 * Access Token 49 * 50 * An access token identifies a user, the user's privileges and the 51 * list of groups of which the user is a member. This information is 52 * used when access is requested to an object by comparing this 53 * information with the DACL in the object's security descriptor. 54 * 55 * Only group attributes are defined. No user attributes defined. 56 */ 57 58 #define SE_GROUP_MANDATORY 0x00000001 59 #define SE_GROUP_ENABLED_BY_DEFAULT 0x00000002 60 #define SE_GROUP_ENABLED 0x00000004 61 #define SE_GROUP_OWNER 0x00000008 62 #define SE_GROUP_USE_FOR_DENY_ONLY 0x00000010 63 #define SE_GROUP_LOGON_ID 0xC0000000 64 65 typedef struct smb_sid_attrs { 66 uint32_t attrs; 67 nt_sid_t *sid; 68 } smb_sid_attrs_t; 69 70 /* 71 * smb_id_t consists of both the Windows security identifier 72 * and its corresponding POSIX/ephemeral ID. 73 */ 74 typedef struct smb_id { 75 smb_sid_attrs_t i_sidattr; 76 uid_t i_id; 77 } smb_id_t; 78 79 /* 80 * Windows groups (each group SID is associated with a POSIX/ephemeral 81 * gid. 82 */ 83 typedef struct smb_win_grps { 84 uint16_t wg_count; 85 smb_id_t wg_groups[ANY_SIZE_ARRAY]; 86 } smb_win_grps_t; 87 88 /* 89 * Access Token Flags 90 * 91 * SMB_ATF_GUEST Token belongs to guest user 92 * SMB_ATF_ANON Token belongs to anonymous user 93 * and it's only good for IPC Connection. 94 * SMB_ATF_POWERUSER Token belongs to a Power User member 95 * SMB_ATF_BACKUPOP Token belongs to a Power User member 96 * SMB_ATF_ADMIN Token belongs to a Domain Admins member 97 */ 98 #define SMB_ATF_GUEST 0x00000001 99 #define SMB_ATF_ANON 0x00000002 100 #define SMB_ATF_POWERUSER 0x00000004 101 #define SMB_ATF_BACKUPOP 0x00000008 102 #define SMB_ATF_ADMIN 0x00000010 103 104 #define SMB_POSIX_GRPS_SIZE(n) \ 105 (sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t)) 106 /* 107 * It consists of the primary and supplementary POSIX groups. 108 */ 109 typedef struct smb_posix_grps { 110 uint32_t pg_ngrps; 111 gid_t pg_grps[ANY_SIZE_ARRAY]; 112 } smb_posix_grps_t; 113 114 /* 115 * Token Structure. 116 * 117 * This structure contains information of a user. There should be one 118 * unique token per user per session per client. The information 119 * provided will either give or deny access to shares, files or folders. 120 */ 121 typedef struct smb_token { 122 smb_id_t *tkn_user; 123 smb_id_t *tkn_owner; 124 smb_id_t *tkn_primary_grp; 125 smb_win_grps_t *tkn_win_grps; 126 smb_privset_t *tkn_privileges; 127 char *tkn_account_name; 128 char *tkn_domain_name; 129 uint32_t tkn_flags; 130 uint32_t tkn_audit_sid; 131 smb_session_key_t *tkn_session_key; 132 smb_posix_grps_t *tkn_posix_grps; 133 } smb_token_t; 134 135 /* 136 * This is the max buffer length for holding certain fields of 137 * any access token: domain, account, workstation, and IP with the 138 * format as show below: 139 * [domain name]\[user account] [workstation] (IP) 140 * 141 * This is not meant to be the maximum buffer length for holding 142 * the entire context of a token. 143 */ 144 #define NTTOKEN_BASIC_INFO_MAXLEN (SMB_PI_MAX_DOMAIN + SMB_PI_MAX_USERNAME \ 145 + SMB_PI_MAX_HOST + INET_ADDRSTRLEN + 8) 146 147 /* 148 * Information returned by an RPC call is allocated on an internal heap 149 * which is deallocated before returning from the interface call. The 150 * smb_userinfo structure provides a useful common mechanism to get the 151 * information back to the caller. It's like a compact access token but 152 * only parts of it are filled in by each RPC so the content is call 153 * specific. 154 */ 155 typedef struct smb_rid_attrs { 156 uint32_t rid; 157 uint32_t attributes; 158 } smb_rid_attrs_t; 159 160 #define SMB_UINFO_FLAG_ANON 0x01 161 #define SMB_UINFO_FLAG_LADMIN 0x02 /* Local admin */ 162 #define SMB_UINFO_FLAG_DADMIN 0x04 /* Domain admin */ 163 #define SMB_UINFO_FLAG_ADMIN (SMB_UINFO_FLAG_LADMIN | SMB_UINFO_FLAG_DADMIN) 164 165 /* 166 * This structure is mainly used where there's some 167 * kind of user related interaction with a domain 168 * controller via different RPC calls. 169 */ 170 typedef struct smb_userinfo { 171 uint16_t sid_name_use; 172 uint32_t rid; 173 uint32_t primary_group_rid; 174 char *name; 175 char *domain_name; 176 nt_sid_t *domain_sid; 177 uint32_t n_groups; 178 smb_rid_attrs_t *groups; 179 uint32_t n_other_grps; 180 smb_sid_attrs_t *other_grps; 181 smb_session_key_t *session_key; 182 183 nt_sid_t *user_sid; 184 nt_sid_t *pgrp_sid; 185 uint32_t flags; 186 } smb_userinfo_t; 187 188 /* XDR routines */ 189 extern bool_t xdr_smb_session_key_t(); 190 extern bool_t xdr_netr_client_t(); 191 extern bool_t xdr_nt_sid_t(); 192 extern bool_t xdr_smb_sid_attrs_t(); 193 extern bool_t xdr_smb_id_t(); 194 extern bool_t xdr_smb_win_grps_t(); 195 extern bool_t xdr_smb_posix_grps_t(); 196 extern bool_t xdr_smb_token_t(); 197 198 199 #ifndef _KERNEL 200 smb_token_t *smb_logon(netr_client_t *clnt); 201 void smb_token_destroy(smb_token_t *token); 202 uint8_t *smb_token_mkselfrel(smb_token_t *obj, uint32_t *len); 203 netr_client_t *netr_client_mkabsolute(uint8_t *buf, uint32_t len); 204 void netr_client_xfree(netr_client_t *); 205 #else /* _KERNEL */ 206 smb_token_t *smb_token_mkabsolute(uint8_t *buf, uint32_t len); 207 void smb_token_free(smb_token_t *token); 208 uint8_t *netr_client_mkselfrel(netr_client_t *obj, uint32_t *len); 209 #endif /* _KERNEL */ 210 211 int smb_token_query_privilege(smb_token_t *token, int priv_id); 212 /* 213 * Diagnostic routines: 214 * smb_token_print: write the contents of a token to the log. 215 * smb_token_log: log message is prefixed with token basic info. 216 */ 217 void smb_token_print(smb_token_t *token); 218 void smb_token_log(int level, smb_dr_user_ctx_t *user_ctx, char *fmt, ...); 219 220 #ifdef __cplusplus 221 } 222 #endif 223 224 225 #endif /* _SMB_TOKEN_H */ 226