1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <unistd.h> 27 #include <strings.h> 28 #include <pwd.h> 29 #include <grp.h> 30 #include <time.h> 31 #include <syslog.h> 32 #include <assert.h> 33 #include <synch.h> 34 35 #include <smbsrv/libsmb.h> 36 #include <smbsrv/libmlsvc.h> 37 38 #include <smbsrv/smbinfo.h> 39 #include <smbsrv/smb_token.h> 40 #include <lsalib.h> 41 42 static smb_account_t smb_guest; 43 static smb_account_t smb_domusers; 44 static rwlock_t smb_logoninit_rwl; 45 46 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *); 47 48 extern void smb_logon_domain(smb_logon_t *, smb_token_t *); 49 static void smb_logon_local(smb_logon_t *, smb_token_t *); 50 static void smb_logon_guest(smb_logon_t *, smb_token_t *); 51 static void smb_logon_anon(smb_logon_t *, smb_token_t *); 52 53 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *, 54 smb_passwd_t *); 55 56 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 57 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *); 58 static uint32_t smb_token_setup_anon(smb_token_t *token); 59 60 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 61 static uint32_t smb_token_setup_wingrps(smb_token_t *); 62 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 63 64 static void smb_guest_account(char *, size_t); 65 66 /* Consolidation private function from Network Repository */ 67 extern int _getgroupsbymember(const char *, gid_t[], int, int); 68 69 static idmap_stat 70 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 71 { 72 idmap_stat stat; 73 smb_idmap_t *sim; 74 smb_id_t *id; 75 int i; 76 77 if (!token || !sib) 78 return (IDMAP_ERR_ARG); 79 80 sim = sib->sib_maps; 81 82 if (token->tkn_flags & SMB_ATF_ANON) { 83 token->tkn_user.i_id = UID_NOBODY; 84 token->tkn_owner.i_id = UID_NOBODY; 85 } else { 86 /* User SID */ 87 id = &token->tkn_user; 88 sim->sim_id = &id->i_id; 89 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 90 id->i_sid, SMB_IDMAP_USER); 91 92 if (stat != IDMAP_SUCCESS) 93 return (stat); 94 95 /* Owner SID */ 96 id = &token->tkn_owner; 97 sim->sim_id = &id->i_id; 98 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 99 id->i_sid, SMB_IDMAP_USER); 100 101 if (stat != IDMAP_SUCCESS) 102 return (stat); 103 } 104 105 /* Primary Group SID */ 106 id = &token->tkn_primary_grp; 107 sim->sim_id = &id->i_id; 108 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 109 SMB_IDMAP_GROUP); 110 111 if (stat != IDMAP_SUCCESS) 112 return (stat); 113 114 /* Other Windows Group SIDs */ 115 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 116 id = &token->tkn_win_grps.i_ids[i]; 117 sim->sim_id = &id->i_id; 118 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 119 id->i_sid, SMB_IDMAP_GROUP); 120 121 if (stat != IDMAP_SUCCESS) 122 break; 123 } 124 125 return (stat); 126 } 127 128 /* 129 * smb_token_sids2ids 130 * 131 * This will map all the SIDs of the access token to UIDs/GIDs. 132 * 133 * Returns 0 upon success. Otherwise, returns -1. 134 */ 135 static int 136 smb_token_sids2ids(smb_token_t *token) 137 { 138 idmap_stat stat; 139 int nmaps, retries = 0; 140 smb_idmap_batch_t sib; 141 142 /* 143 * Number of idmap lookups: user SID, owner SID, primary group SID, 144 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 145 */ 146 if (token->tkn_flags & SMB_ATF_ANON) 147 nmaps = token->tkn_win_grps.i_cnt + 1; 148 else 149 nmaps = token->tkn_win_grps.i_cnt + 3; 150 151 do { 152 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID); 153 if (stat != IDMAP_SUCCESS) 154 return (-1); 155 156 stat = smb_token_idmap(token, &sib); 157 if (stat != IDMAP_SUCCESS) { 158 smb_idmap_batch_destroy(&sib); 159 return (-1); 160 } 161 162 stat = smb_idmap_batch_getmappings(&sib); 163 smb_idmap_batch_destroy(&sib); 164 smb_idmap_check("smb_idmap_batch_getmappings", stat); 165 } while (stat == IDMAP_ERR_RPC_HANDLE && retries++ < 3); 166 167 return (stat == IDMAP_SUCCESS ? 0 : -1); 168 } 169 170 /* 171 * smb_token_create_pxgrps 172 * 173 * Setup the POSIX group membership of the access token if the given UID is 174 * a POSIX UID (non-ephemeral). Both the user's primary group and 175 * supplementary groups will be added to the POSIX group array of the access 176 * token. 177 */ 178 static smb_posix_grps_t * 179 smb_token_create_pxgrps(uid_t uid) 180 { 181 struct passwd *pwd; 182 smb_posix_grps_t *pgrps; 183 int ngroups_max, num; 184 gid_t *gids; 185 186 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 187 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 188 return (NULL); 189 } 190 191 pwd = getpwuid(uid); 192 if (pwd == NULL) { 193 pgrps = malloc(sizeof (smb_posix_grps_t)); 194 if (pgrps == NULL) 195 return (NULL); 196 197 pgrps->pg_ngrps = 0; 198 return (pgrps); 199 } 200 201 if (pwd->pw_name == NULL) { 202 pgrps = malloc(sizeof (smb_posix_grps_t)); 203 if (pgrps == NULL) 204 return (NULL); 205 206 pgrps->pg_ngrps = 1; 207 pgrps->pg_grps[0] = pwd->pw_gid; 208 return (pgrps); 209 } 210 211 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 212 if (gids == NULL) { 213 return (NULL); 214 } 215 bzero(gids, ngroups_max * sizeof (gid_t)); 216 217 gids[0] = pwd->pw_gid; 218 219 /* 220 * Setup the groups starting at index 1 (the last arg) 221 * of gids array. 222 */ 223 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 224 225 if (num == -1) { 226 syslog(LOG_ERR, "smb_logon: unable " 227 "to get user's supplementary groups"); 228 num = 1; 229 } 230 231 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 232 if (pgrps) { 233 pgrps->pg_ngrps = num; 234 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 235 } 236 237 free(gids); 238 return (pgrps); 239 } 240 241 /* 242 * smb_token_destroy 243 * 244 * Release all of the memory associated with a token structure. Ensure 245 * that the token has been unlinked before calling. 246 */ 247 void 248 smb_token_destroy(smb_token_t *token) 249 { 250 if (token != NULL) { 251 smb_sid_free(token->tkn_user.i_sid); 252 smb_sid_free(token->tkn_owner.i_sid); 253 smb_sid_free(token->tkn_primary_grp.i_sid); 254 smb_ids_free(&token->tkn_win_grps); 255 smb_privset_free(token->tkn_privileges); 256 free(token->tkn_posix_grps); 257 free(token->tkn_account_name); 258 free(token->tkn_domain_name); 259 free(token->tkn_session_key); 260 bzero(token, sizeof (smb_token_t)); 261 free(token); 262 } 263 } 264 265 /* 266 * Token owner should be set to local Administrators group 267 * in two cases: 268 * 1. The logged on user is a member of Domain Admins group 269 * 2. he/she is a member of local Administrators group 270 */ 271 static void 272 smb_token_set_owner(smb_token_t *token) 273 { 274 #ifdef SMB_SUPPORT_GROUP_OWNER 275 smb_sid_t *owner_sid; 276 277 if (token->tkn_flags & SMB_ATF_ADMIN) { 278 owner_sid = smb_wka_get_sid("Administrators"); 279 assert(owner_sid); 280 } else { 281 owner_sid = token->tkn_user->i_sid; 282 } 283 284 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 285 #endif 286 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 287 } 288 289 static smb_privset_t * 290 smb_token_create_privs(smb_token_t *token) 291 { 292 smb_privset_t *privs; 293 smb_giter_t gi; 294 smb_group_t grp; 295 int rc; 296 297 privs = smb_privset_new(); 298 if (privs == NULL) 299 return (NULL); 300 301 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 302 smb_privset_free(privs); 303 return (NULL); 304 } 305 306 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 307 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 308 smb_privset_merge(privs, grp.sg_privs); 309 smb_lgrp_free(&grp); 310 } 311 smb_lgrp_iterclose(&gi); 312 313 if (token->tkn_flags & SMB_ATF_ADMIN) { 314 rc = smb_lgrp_getbyname("Administrators", &grp); 315 if (rc == SMB_LGRP_SUCCESS) { 316 smb_privset_merge(privs, grp.sg_privs); 317 smb_lgrp_free(&grp); 318 } 319 320 /* 321 * This privilege is required to view/edit SACL 322 */ 323 smb_privset_enable(privs, SE_SECURITY_LUID); 324 } 325 326 return (privs); 327 } 328 329 static void 330 smb_token_set_flags(smb_token_t *token) 331 { 332 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 333 token->tkn_flags |= SMB_ATF_ADMIN; 334 335 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 336 token->tkn_flags |= SMB_ATF_POWERUSER; 337 338 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 339 token->tkn_flags |= SMB_ATF_BACKUPOP; 340 } 341 342 /* 343 * Common token setup for both local and domain users. 344 * This function must be called after the initial setup 345 * has been done. 346 * 347 * Note that the order of calls in this function are important. 348 */ 349 static boolean_t 350 smb_token_setup_common(smb_token_t *token) 351 { 352 smb_token_set_flags(token); 353 354 smb_token_set_owner(token); 355 if (token->tkn_owner.i_sid == NULL) 356 return (B_FALSE); 357 358 /* Privileges */ 359 token->tkn_privileges = smb_token_create_privs(token); 360 if (token->tkn_privileges == NULL) 361 return (B_FALSE); 362 363 if (smb_token_sids2ids(token) != 0) { 364 syslog(LOG_ERR, "%s\\%s: idmap failed", 365 token->tkn_domain_name, token->tkn_account_name); 366 return (B_FALSE); 367 } 368 369 /* Solaris Groups */ 370 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 371 372 return (smb_token_valid(token)); 373 } 374 375 uint32_t 376 smb_logon_init(void) 377 { 378 uint32_t status; 379 380 (void) rw_wrlock(&smb_logoninit_rwl); 381 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest); 382 if (status != NT_STATUS_SUCCESS) { 383 (void) rw_unlock(&smb_logoninit_rwl); 384 return (status); 385 } 386 387 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup, 388 &smb_domusers); 389 if (status != NT_STATUS_SUCCESS) { 390 smb_account_free(&smb_guest); 391 bzero(&smb_guest, sizeof (smb_account_t)); 392 (void) rw_unlock(&smb_logoninit_rwl); 393 return (status); 394 } 395 396 (void) rw_unlock(&smb_logoninit_rwl); 397 return (status); 398 } 399 400 void 401 smb_logon_fini(void) 402 { 403 (void) rw_wrlock(&smb_logoninit_rwl); 404 smb_account_free(&smb_guest); 405 smb_account_free(&smb_domusers); 406 bzero(&smb_guest, sizeof (smb_account_t)); 407 bzero(&smb_domusers, sizeof (smb_account_t)); 408 (void) rw_unlock(&smb_logoninit_rwl); 409 } 410 411 /* 412 * Perform user authentication. 413 * 414 * The dispatched functions must only update the user_info status if they 415 * attempt to authenticate the user. 416 * 417 * On success, a pointer to a new access token is returned. 418 */ 419 smb_token_t * 420 smb_logon(smb_logon_t *user_info) 421 { 422 static smb_logonop_t ops[] = { 423 smb_logon_anon, 424 smb_logon_local, 425 smb_logon_domain, 426 smb_logon_guest 427 }; 428 smb_token_t *token = NULL; 429 smb_domain_t domain; 430 int n_op = (sizeof (ops) / sizeof (ops[0])); 431 int i; 432 433 user_info->lg_secmode = smb_config_get_secmode(); 434 user_info->lg_status = NT_STATUS_NO_SUCH_USER; 435 436 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain)) 437 user_info->lg_domain_type = domain.di_type; 438 else 439 user_info->lg_domain_type = SMB_DOMAIN_NULL; 440 441 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) { 442 syslog(LOG_ERR, "logon[%s\\%s]: %m", 443 user_info->lg_e_domain, user_info->lg_e_username); 444 return (NULL); 445 } 446 447 for (i = 0; i < n_op; ++i) { 448 (*ops[i])(user_info, token); 449 450 if (user_info->lg_status == NT_STATUS_SUCCESS) 451 break; 452 } 453 454 if (user_info->lg_status == NT_STATUS_SUCCESS) { 455 if (smb_token_setup_common(token)) 456 return (token); 457 } 458 459 smb_token_destroy(token); 460 return (NULL); 461 } 462 463 /* 464 * If the user has an entry in the local database, attempt local authentication. 465 * 466 * In domain mode, we try to exclude domain accounts, which we do by only 467 * accepting local or null (blank) domain names here. Some clients (Mac OS) 468 * don't always send the domain name. 469 * 470 * If we are not going to attempt authentication, this function must return 471 * without updating the status. 472 */ 473 static void 474 smb_logon_local(smb_logon_t *user_info, smb_token_t *token) 475 { 476 char guest[SMB_USERNAME_MAXLEN]; 477 smb_passwd_t smbpw; 478 uint32_t status; 479 boolean_t isguest; 480 481 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) { 482 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) && 483 (user_info->lg_domain_type != SMB_DOMAIN_NULL)) 484 return; 485 } 486 487 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 488 isguest = (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0); 489 490 status = smb_token_auth_local(user_info, token, &smbpw); 491 if (status == NT_STATUS_SUCCESS) { 492 if (isguest) 493 status = smb_token_setup_guest(user_info, token); 494 else 495 status = smb_token_setup_local(&smbpw, token); 496 } 497 498 user_info->lg_status = status; 499 } 500 501 /* 502 * Guest authentication. This may be a local guest account or the guest 503 * account may be mapped to a local account. These accounts are regular 504 * accounts with normal password protection. 505 * 506 * Only proceed with a guest logon if previous logon options have resulted 507 * in NO_SUCH_USER. 508 * 509 * If we are not going to attempt authentication, this function must return 510 * without updating the status. 511 */ 512 static void 513 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token) 514 { 515 char guest[SMB_USERNAME_MAXLEN]; 516 smb_passwd_t smbpw; 517 char *temp; 518 uint32_t status; 519 520 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER) 521 return; 522 523 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 524 temp = user_info->lg_e_username; 525 user_info->lg_e_username = guest; 526 527 status = smb_token_auth_local(user_info, token, &smbpw); 528 if ((status == NT_STATUS_SUCCESS) || 529 (status == NT_STATUS_NO_SUCH_USER)) { 530 status = smb_token_setup_guest(user_info, token); 531 } 532 533 user_info->lg_e_username = temp; 534 user_info->lg_status = status; 535 } 536 537 /* 538 * If user_info represents an anonymous user then setup the token. 539 * Otherwise return without updating the status. 540 */ 541 static void 542 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token) 543 { 544 if (user_info->lg_flags & SMB_ATF_ANON) 545 user_info->lg_status = smb_token_setup_anon(token); 546 } 547 548 /* 549 * Try both LM hash and NT hashes with user's password(s) to authenticate 550 * the user. 551 */ 552 static uint32_t 553 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token, 554 smb_passwd_t *smbpw) 555 { 556 boolean_t lm_ok, nt_ok; 557 uint32_t status = NT_STATUS_SUCCESS; 558 559 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL) 560 return (NT_STATUS_NO_SUCH_USER); 561 562 if (smbpw->pw_flags & SMB_PWF_DISABLE) 563 return (NT_STATUS_ACCOUNT_DISABLED); 564 565 nt_ok = lm_ok = B_FALSE; 566 if ((smbpw->pw_flags & SMB_PWF_LM) && 567 (user_info->lg_lm_password.len != 0)) { 568 lm_ok = smb_auth_validate_lm( 569 user_info->lg_challenge_key.val, 570 user_info->lg_challenge_key.len, 571 smbpw, 572 user_info->lg_lm_password.val, 573 user_info->lg_lm_password.len, 574 user_info->lg_domain, 575 user_info->lg_username); 576 token->tkn_session_key = NULL; 577 } 578 579 if (!lm_ok && (user_info->lg_nt_password.len != 0)) { 580 token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ); 581 if (token->tkn_session_key == NULL) 582 return (NT_STATUS_NO_MEMORY); 583 nt_ok = smb_auth_validate_nt( 584 user_info->lg_challenge_key.val, 585 user_info->lg_challenge_key.len, 586 smbpw, 587 user_info->lg_nt_password.val, 588 user_info->lg_nt_password.len, 589 user_info->lg_domain, 590 user_info->lg_username, 591 (uchar_t *)token->tkn_session_key); 592 } 593 594 if (!nt_ok && !lm_ok) { 595 status = NT_STATUS_WRONG_PASSWORD; 596 syslog(LOG_NOTICE, "logon[%s\\%s]: %s", 597 user_info->lg_e_domain, user_info->lg_e_username, 598 xlate_nt_status(status)); 599 } 600 601 return (status); 602 } 603 604 /* 605 * Setup an access token for the specified local user. 606 */ 607 static uint32_t 608 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 609 { 610 idmap_stat stat; 611 smb_idmap_batch_t sib; 612 smb_idmap_t *umap, *gmap; 613 struct passwd pw; 614 char pwbuf[1024]; 615 char nbname[NETBIOS_NAME_SZ]; 616 617 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 618 token->tkn_account_name = strdup(smbpw->pw_name); 619 token->tkn_domain_name = strdup(nbname); 620 621 if (token->tkn_account_name == NULL || 622 token->tkn_domain_name == NULL) 623 return (NT_STATUS_NO_MEMORY); 624 625 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 626 return (NT_STATUS_NO_SUCH_USER); 627 628 /* Get the SID for user's uid & gid */ 629 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 630 if (stat != IDMAP_SUCCESS) 631 return (NT_STATUS_INTERNAL_ERROR); 632 633 umap = &sib.sib_maps[0]; 634 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 635 SMB_IDMAP_USER); 636 637 if (stat != IDMAP_SUCCESS) { 638 smb_idmap_batch_destroy(&sib); 639 return (NT_STATUS_INTERNAL_ERROR); 640 } 641 642 gmap = &sib.sib_maps[1]; 643 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 644 SMB_IDMAP_GROUP); 645 646 if (stat != IDMAP_SUCCESS) { 647 smb_idmap_batch_destroy(&sib); 648 return (NT_STATUS_INTERNAL_ERROR); 649 } 650 651 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS) 652 return (NT_STATUS_INTERNAL_ERROR); 653 654 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 655 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 656 657 smb_idmap_batch_destroy(&sib); 658 659 if (token->tkn_user.i_sid == NULL || 660 token->tkn_primary_grp.i_sid == NULL) 661 return (NT_STATUS_NO_MEMORY); 662 663 return (smb_token_setup_wingrps(token)); 664 } 665 666 /* 667 * Setup access token for guest connections 668 */ 669 static uint32_t 670 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token) 671 { 672 token->tkn_account_name = strdup(user_info->lg_e_username); 673 674 (void) rw_rdlock(&smb_logoninit_rwl); 675 token->tkn_domain_name = strdup(smb_guest.a_domain); 676 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid); 677 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid); 678 (void) rw_unlock(&smb_logoninit_rwl); 679 token->tkn_flags = SMB_ATF_GUEST; 680 681 if (token->tkn_account_name == NULL || 682 token->tkn_domain_name == NULL || 683 token->tkn_user.i_sid == NULL || 684 token->tkn_primary_grp.i_sid == NULL) 685 return (NT_STATUS_NO_MEMORY); 686 687 return (smb_token_setup_wingrps(token)); 688 } 689 690 /* 691 * Setup access token for anonymous connections 692 */ 693 static uint32_t 694 smb_token_setup_anon(smb_token_t *token) 695 { 696 smb_sid_t *user_sid; 697 698 token->tkn_account_name = strdup("Anonymous"); 699 token->tkn_domain_name = strdup("NT Authority"); 700 user_sid = smb_wka_get_sid("Anonymous"); 701 token->tkn_user.i_sid = smb_sid_dup(user_sid); 702 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 703 token->tkn_flags = SMB_ATF_ANON; 704 705 if (token->tkn_account_name == NULL || 706 token->tkn_domain_name == NULL || 707 token->tkn_user.i_sid == NULL || 708 token->tkn_primary_grp.i_sid == NULL) 709 return (NT_STATUS_NO_MEMORY); 710 711 return (smb_token_setup_wingrps(token)); 712 } 713 714 /* 715 * smb_token_user_sid 716 * 717 * Return a pointer to the user SID in the specified token. A null 718 * pointer indicates an error. 719 */ 720 static smb_sid_t * 721 smb_token_user_sid(smb_token_t *token) 722 { 723 return ((token) ? token->tkn_user.i_sid : NULL); 724 } 725 726 /* 727 * smb_token_group_sid 728 * 729 * Return a pointer to the group SID as indicated by the iterator. 730 * Setting the iterator to 0 before calling this function will return 731 * the first group, which will always be the primary group. The 732 * iterator will be incremented before returning the SID so that this 733 * function can be used to cycle through the groups. The caller can 734 * adjust the iterator as required between calls to obtain any specific 735 * group. 736 * 737 * On success a pointer to the appropriate group SID will be returned. 738 * Otherwise a null pointer will be returned. 739 */ 740 static smb_sid_t * 741 smb_token_group_sid(smb_token_t *token, int *iterator) 742 { 743 int index; 744 745 if (token == NULL || iterator == NULL) 746 return (NULL); 747 748 if (token->tkn_win_grps.i_ids == NULL) 749 return (NULL); 750 751 index = *iterator; 752 753 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 754 return (NULL); 755 756 ++(*iterator); 757 return (token->tkn_win_grps.i_ids[index].i_sid); 758 } 759 760 /* 761 * smb_token_is_member 762 * 763 * This function will determine whether or not the specified SID is a 764 * member of a token. The user SID and all group SIDs are tested. 765 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 766 */ 767 static boolean_t 768 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 769 { 770 smb_sid_t *tsid; 771 int iterator = 0; 772 773 if (token == NULL || sid == NULL) 774 return (B_FALSE); 775 776 tsid = smb_token_user_sid(token); 777 while (tsid) { 778 if (smb_sid_cmp(tsid, sid)) 779 return (B_TRUE); 780 781 tsid = smb_token_group_sid(token, &iterator); 782 } 783 784 return (B_FALSE); 785 } 786 787 /* 788 * smb_token_log 789 * 790 * Diagnostic routine to write the contents of a token to the log. 791 */ 792 void 793 smb_token_log(smb_token_t *token) 794 { 795 smb_ids_t *w_grps; 796 smb_id_t *grp; 797 smb_posix_grps_t *x_grps; 798 char sidstr[SMB_SID_STRSZ]; 799 int i; 800 801 if (token == NULL) 802 return; 803 804 syslog(LOG_DEBUG, "Token for %s\\%s", 805 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 806 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 807 808 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 809 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 810 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 811 token->tkn_user.i_id); 812 813 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 814 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 815 sidstr, token->tkn_owner.i_id); 816 817 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 818 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 819 sidstr, token->tkn_primary_grp.i_id); 820 821 w_grps = &token->tkn_win_grps; 822 if (w_grps->i_ids) { 823 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 824 grp = w_grps->i_ids; 825 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 826 syslog(LOG_DEBUG, 827 " Grp[%d].Attr:%d", i, grp->i_attrs); 828 if (grp->i_sid != NULL) { 829 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 830 syslog(LOG_DEBUG, 831 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 832 grp->i_id); 833 } 834 } 835 } else { 836 syslog(LOG_DEBUG, " No Windows groups"); 837 } 838 839 x_grps = token->tkn_posix_grps; 840 if (x_grps) { 841 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 842 for (i = 0; i < x_grps->pg_ngrps; i++) 843 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 844 } else { 845 syslog(LOG_DEBUG, " No Solaris groups"); 846 } 847 848 if (token->tkn_privileges) 849 smb_privset_log(token->tkn_privileges); 850 else 851 syslog(LOG_DEBUG, " No privileges"); 852 } 853 854 /* 855 * Sets up local and well-known group membership for the given 856 * token. Two assumptions have been made here: 857 * 858 * a) token already contains a valid user SID so that group 859 * memberships can be established 860 * 861 * b) token belongs to a local or anonymous user 862 */ 863 static uint32_t 864 smb_token_setup_wingrps(smb_token_t *token) 865 { 866 smb_ids_t tkn_grps; 867 uint32_t status; 868 869 870 /* 871 * We always want the user's primary group in the list 872 * of groups. 873 */ 874 tkn_grps.i_cnt = 1; 875 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 876 return (NT_STATUS_NO_MEMORY); 877 878 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 879 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 880 if (tkn_grps.i_ids->i_sid == NULL) { 881 smb_ids_free(&tkn_grps); 882 return (NT_STATUS_NO_MEMORY); 883 } 884 885 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 886 if (status != NT_STATUS_SUCCESS) { 887 smb_ids_free(&tkn_grps); 888 return (status); 889 } 890 891 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps); 892 if (status != NT_STATUS_SUCCESS) { 893 smb_ids_free(&tkn_grps); 894 return (status); 895 } 896 897 token->tkn_win_grps = tkn_grps; 898 return (status); 899 } 900 901 /* 902 * Returns the guest account name in the provided buffer. 903 * 904 * By default the name would be "guest" unless there's 905 * a idmap name-based rule which maps the guest to a local 906 * Solaris user in which case the name of that user is 907 * returned. 908 */ 909 static void 910 smb_guest_account(char *guest, size_t buflen) 911 { 912 idmap_stat stat; 913 uid_t guest_uid; 914 struct passwd pw; 915 char pwbuf[1024]; 916 int idtype; 917 918 /* default Guest account name */ 919 (void) rw_rdlock(&smb_logoninit_rwl); 920 (void) strlcpy(guest, smb_guest.a_name, buflen); 921 922 idtype = SMB_IDMAP_USER; 923 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype); 924 (void) rw_unlock(&smb_logoninit_rwl); 925 926 if (stat != IDMAP_SUCCESS) 927 return; 928 929 /* If Ephemeral ID return the default name */ 930 if (IDMAP_ID_IS_EPHEMERAL(guest_uid)) 931 return; 932 933 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 934 return; 935 936 (void) strlcpy(guest, pw.pw_name, buflen); 937 } 938