1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Security database interface. 28 */ 29 #include <unistd.h> 30 #include <strings.h> 31 #include <pwd.h> 32 #include <grp.h> 33 #include <time.h> 34 #include <syslog.h> 35 #include <assert.h> 36 37 #include <smbsrv/libsmb.h> 38 #include <smbsrv/libmlsvc.h> 39 40 #include <smbsrv/smbinfo.h> 41 #include <smbsrv/smb_token.h> 42 #include <lsalib.h> 43 44 extern uint32_t netlogon_logon(netr_client_t *, smb_token_t *); 45 static uint32_t smb_logon_domain(netr_client_t *, smb_token_t *); 46 static uint32_t smb_logon_local(netr_client_t *, smb_token_t *); 47 static uint32_t smb_logon_anon(netr_client_t *, smb_token_t *); 48 49 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 50 static uint32_t smb_token_setup_anon(smb_token_t *token); 51 52 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 53 static uint32_t smb_token_setup_wingrps(smb_token_t *); 54 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 55 56 /* Consolidation private function from Network Repository */ 57 extern int _getgroupsbymember(const char *, gid_t[], int, int); 58 59 static idmap_stat 60 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 61 { 62 idmap_stat stat; 63 smb_idmap_t *sim; 64 smb_id_t *id; 65 int i; 66 67 if (!token || !sib) 68 return (IDMAP_ERR_ARG); 69 70 sim = sib->sib_maps; 71 72 if (token->tkn_flags & SMB_ATF_ANON) { 73 token->tkn_user.i_id = UID_NOBODY; 74 token->tkn_owner.i_id = UID_NOBODY; 75 } else { 76 /* User SID */ 77 id = &token->tkn_user; 78 sim->sim_id = &id->i_id; 79 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 80 id->i_sid, SMB_IDMAP_USER); 81 82 if (stat != IDMAP_SUCCESS) 83 return (stat); 84 85 /* Owner SID */ 86 id = &token->tkn_owner; 87 sim->sim_id = &id->i_id; 88 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 89 id->i_sid, SMB_IDMAP_USER); 90 91 if (stat != IDMAP_SUCCESS) 92 return (stat); 93 } 94 95 /* Primary Group SID */ 96 id = &token->tkn_primary_grp; 97 sim->sim_id = &id->i_id; 98 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 99 SMB_IDMAP_GROUP); 100 101 if (stat != IDMAP_SUCCESS) 102 return (stat); 103 104 /* Other Windows Group SIDs */ 105 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 106 id = &token->tkn_win_grps.i_ids[i]; 107 sim->sim_id = &id->i_id; 108 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 109 id->i_sid, SMB_IDMAP_GROUP); 110 111 if (stat != IDMAP_SUCCESS) 112 break; 113 } 114 115 return (stat); 116 } 117 118 /* 119 * smb_token_sids2ids 120 * 121 * This will map all the SIDs of the access token to UIDs/GIDs. 122 * 123 * Returns 0 upon success. Otherwise, returns -1. 124 */ 125 static int 126 smb_token_sids2ids(smb_token_t *token) 127 { 128 idmap_stat stat; 129 int nmaps, retries = 0; 130 smb_idmap_batch_t sib; 131 132 /* 133 * Number of idmap lookups: user SID, owner SID, primary group SID, 134 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 135 */ 136 if (token->tkn_flags & SMB_ATF_ANON) 137 nmaps = token->tkn_win_grps.i_cnt + 1; 138 else 139 nmaps = token->tkn_win_grps.i_cnt + 3; 140 141 do { 142 stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID); 143 if (stat != IDMAP_SUCCESS) 144 return (-1); 145 146 stat = smb_token_idmap(token, &sib); 147 if (stat != IDMAP_SUCCESS) { 148 smb_idmap_batch_destroy(&sib); 149 return (-1); 150 } 151 152 stat = smb_idmap_batch_getmappings(&sib); 153 smb_idmap_batch_destroy(&sib); 154 if (stat == IDMAP_ERR_RPC_HANDLE) 155 if (smb_idmap_restart() < 0) 156 break; 157 } while (stat == IDMAP_ERR_RPC_HANDLE && retries++ < 3); 158 159 return (stat == IDMAP_SUCCESS ? 0 : -1); 160 } 161 162 /* 163 * smb_token_create_pxgrps 164 * 165 * Setup the POSIX group membership of the access token if the given UID is 166 * a POSIX UID (non-ephemeral). Both the user's primary group and 167 * supplementary groups will be added to the POSIX group array of the access 168 * token. 169 */ 170 static smb_posix_grps_t * 171 smb_token_create_pxgrps(uid_t uid) 172 { 173 struct passwd *pwd; 174 smb_posix_grps_t *pgrps; 175 int ngroups_max, num; 176 gid_t *gids; 177 178 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 179 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 180 return (NULL); 181 } 182 183 pwd = getpwuid(uid); 184 if (pwd == NULL) { 185 pgrps = malloc(sizeof (smb_posix_grps_t)); 186 if (pgrps == NULL) 187 return (NULL); 188 189 pgrps->pg_ngrps = 0; 190 return (pgrps); 191 } 192 193 if (pwd->pw_name == NULL) { 194 pgrps = malloc(sizeof (smb_posix_grps_t)); 195 if (pgrps == NULL) 196 return (NULL); 197 198 pgrps->pg_ngrps = 1; 199 pgrps->pg_grps[0] = pwd->pw_gid; 200 return (pgrps); 201 } 202 203 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 204 if (gids == NULL) { 205 return (NULL); 206 } 207 bzero(gids, ngroups_max * sizeof (gid_t)); 208 209 gids[0] = pwd->pw_gid; 210 211 /* 212 * Setup the groups starting at index 1 (the last arg) 213 * of gids array. 214 */ 215 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 216 217 if (num == -1) { 218 syslog(LOG_ERR, "smb_logon: unable " 219 "to get user's supplementary groups"); 220 num = 1; 221 } 222 223 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 224 if (pgrps) { 225 pgrps->pg_ngrps = num; 226 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 227 } 228 229 free(gids); 230 return (pgrps); 231 } 232 233 /* 234 * smb_token_destroy 235 * 236 * Release all of the memory associated with a token structure. Ensure 237 * that the token has been unlinked before calling. 238 */ 239 void 240 smb_token_destroy(smb_token_t *token) 241 { 242 if (token != NULL) { 243 smb_sid_free(token->tkn_user.i_sid); 244 smb_sid_free(token->tkn_owner.i_sid); 245 smb_sid_free(token->tkn_primary_grp.i_sid); 246 smb_ids_free(&token->tkn_win_grps); 247 smb_privset_free(token->tkn_privileges); 248 free(token->tkn_posix_grps); 249 free(token->tkn_account_name); 250 free(token->tkn_domain_name); 251 free(token->tkn_session_key); 252 free(token); 253 } 254 } 255 256 /* 257 * Token owner should be set to local Administrators group 258 * in two cases: 259 * 1. The logged on user is a member of Domain Admins group 260 * 2. he/she is a member of local Administrators group 261 */ 262 static void 263 smb_token_set_owner(smb_token_t *token) 264 { 265 #ifdef SMB_SUPPORT_GROUP_OWNER 266 smb_sid_t *owner_sid; 267 268 if (token->tkn_flags & SMB_ATF_ADMIN) { 269 owner_sid = smb_wka_get_sid("Administrators"); 270 assert(owner_sid); 271 } else { 272 owner_sid = token->tkn_user->i_sid; 273 } 274 275 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 276 #endif 277 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 278 } 279 280 static smb_privset_t * 281 smb_token_create_privs(smb_token_t *token) 282 { 283 smb_privset_t *privs; 284 smb_giter_t gi; 285 smb_group_t grp; 286 int rc; 287 288 privs = smb_privset_new(); 289 if (privs == NULL) 290 return (NULL); 291 292 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 293 smb_privset_free(privs); 294 return (NULL); 295 } 296 297 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 298 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 299 smb_privset_merge(privs, grp.sg_privs); 300 smb_lgrp_free(&grp); 301 } 302 smb_lgrp_iterclose(&gi); 303 304 if (token->tkn_flags & SMB_ATF_ADMIN) { 305 rc = smb_lgrp_getbyname("Administrators", &grp); 306 if (rc == SMB_LGRP_SUCCESS) { 307 smb_privset_merge(privs, grp.sg_privs); 308 smb_lgrp_free(&grp); 309 } 310 311 /* 312 * This privilege is required to view/edit SACL 313 */ 314 smb_privset_enable(privs, SE_SECURITY_LUID); 315 } 316 317 return (privs); 318 } 319 320 static void 321 smb_token_set_flags(smb_token_t *token) 322 { 323 uint32_t rid; 324 325 (void) smb_sid_getrid(token->tkn_user.i_sid, &rid); 326 if (rid == DOMAIN_USER_RID_GUEST) { 327 token->tkn_flags |= SMB_ATF_GUEST; 328 return; 329 } 330 331 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 332 token->tkn_flags |= SMB_ATF_ADMIN; 333 334 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 335 token->tkn_flags |= SMB_ATF_POWERUSER; 336 337 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 338 token->tkn_flags |= SMB_ATF_BACKUPOP; 339 } 340 341 /* 342 * Common token setup for both local and domain users. 343 * This function must be called after the initial setup 344 * has been done. 345 * 346 * Note that the order of calls in this function are important. 347 */ 348 static uint32_t 349 smb_token_setup_common(smb_token_t *token) 350 { 351 smb_token_set_flags(token); 352 353 smb_token_set_owner(token); 354 if (token->tkn_owner.i_sid == NULL) 355 return (NT_STATUS_NO_MEMORY); 356 357 /* Privileges */ 358 token->tkn_privileges = smb_token_create_privs(token); 359 if (token->tkn_privileges == NULL) 360 return (NT_STATUS_NO_MEMORY); 361 362 if (smb_token_sids2ids(token) != 0) { 363 syslog(LOG_ERR, "%s\\%s: idmap failed", 364 token->tkn_domain_name, token->tkn_account_name); 365 return (NT_STATUS_INTERNAL_ERROR); 366 } 367 368 /* Solaris Groups */ 369 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 370 371 return (NT_STATUS_SUCCESS); 372 } 373 374 /* 375 * smb_logon 376 * 377 * Performs user authentication and creates a token if the 378 * authentication is successful. 379 * 380 * Returns pointer to the created token. 381 */ 382 smb_token_t * 383 smb_logon(netr_client_t *clnt) 384 { 385 smb_token_t *token = NULL; 386 uint32_t status; 387 388 if ((token = malloc(sizeof (smb_token_t))) == NULL) { 389 syslog(LOG_ERR, "smb_logon: resource shortage"); 390 return (NULL); 391 } 392 bzero(token, sizeof (smb_token_t)); 393 394 status = smb_logon_anon(clnt, token); 395 if (status == NT_STATUS_INVALID_LOGON_TYPE) { 396 status = smb_logon_local(clnt, token); 397 if (status != NT_STATUS_SUCCESS) { 398 if ((status == NT_STATUS_INVALID_LOGON_TYPE) || 399 (*clnt->real_domain == '\0')) 400 status = smb_logon_domain(clnt, token); 401 } 402 } 403 404 if (status == NT_STATUS_SUCCESS) { 405 if (smb_token_setup_common(token) == NT_STATUS_SUCCESS) 406 return (token); 407 } 408 409 smb_token_destroy(token); 410 return (NULL); 411 } 412 413 /* 414 * smb_logon_domain 415 * 416 * Performs pass through authentication with PDC. 417 */ 418 static uint32_t 419 smb_logon_domain(netr_client_t *clnt, smb_token_t *token) 420 { 421 uint32_t status; 422 423 if ((status = netlogon_logon(clnt, token)) != 0) { 424 if (status == NT_STATUS_CANT_ACCESS_DOMAIN_INFO) { 425 if ((status = netlogon_logon(clnt, token)) != 0) { 426 syslog(LOG_INFO, "SmbLogon[%s\\%s]: %s", 427 clnt->real_domain, clnt->real_username, 428 xlate_nt_status(status)); 429 return (status); 430 } 431 } 432 } 433 434 return (status); 435 } 436 437 /* 438 * smb_logon_local 439 * 440 * Check to see if connected user has an entry in the local 441 * smbpasswd database. If it has, tries both LM hash and NT 442 * hash with user's password(s) to authenticate the user. 443 */ 444 static uint32_t 445 smb_logon_local(netr_client_t *clnt, smb_token_t *token) 446 { 447 smb_passwd_t smbpw; 448 boolean_t lm_ok, nt_ok; 449 uint32_t status; 450 nt_domain_t *domain; 451 452 /* Make sure this is not a domain user */ 453 if (smb_config_get_secmode() == SMB_SECMODE_DOMAIN) { 454 domain = nt_domain_lookup_name(clnt->real_domain); 455 if (domain && (domain->type != NT_DOMAIN_LOCAL)) 456 return (NT_STATUS_INVALID_LOGON_TYPE); 457 } 458 459 if (smb_pwd_getpwnam(clnt->real_username, &smbpw) == NULL) { 460 /* 461 * If user doesn't have entry either in smbpasswd 462 * or passwd it's considered as an invalid user. 463 */ 464 status = NT_STATUS_NO_SUCH_USER; 465 syslog(LOG_NOTICE, "SmbLogon[%s\\%s]: %s", 466 clnt->real_domain, clnt->real_username, 467 xlate_nt_status(status)); 468 return (status); 469 } 470 if (smbpw.pw_flags & SMB_PWF_DISABLE) 471 return (NT_STATUS_ACCOUNT_DISABLED); 472 473 nt_ok = lm_ok = B_FALSE; 474 if ((smbpw.pw_flags & SMB_PWF_LM) && 475 (clnt->lm_password.lm_password_len != 0)) { 476 lm_ok = smb_auth_validate_lm( 477 clnt->challenge_key.challenge_key_val, 478 clnt->challenge_key.challenge_key_len, 479 &smbpw, 480 clnt->lm_password.lm_password_val, 481 clnt->lm_password.lm_password_len, 482 clnt->domain, 483 clnt->username); 484 token->tkn_session_key = NULL; 485 } 486 487 if (!lm_ok && (clnt->nt_password.nt_password_len != 0)) { 488 token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ); 489 if (token->tkn_session_key == NULL) 490 return (NT_STATUS_NO_MEMORY); 491 nt_ok = smb_auth_validate_nt( 492 clnt->challenge_key.challenge_key_val, 493 clnt->challenge_key.challenge_key_len, 494 &smbpw, 495 clnt->nt_password.nt_password_val, 496 clnt->nt_password.nt_password_len, 497 clnt->domain, 498 clnt->username, 499 (uchar_t *)token->tkn_session_key); 500 } 501 502 if (!nt_ok && !lm_ok) { 503 status = NT_STATUS_WRONG_PASSWORD; 504 syslog(LOG_NOTICE, "SmbLogon[%s\\%s]: %s", 505 clnt->real_domain, clnt->real_username, 506 xlate_nt_status(status)); 507 return (status); 508 } 509 510 status = smb_token_setup_local(&smbpw, token); 511 return (status); 512 } 513 514 /* 515 * If 'clnt' represents an anonymous user (no password) 516 * then setup the token accordingly, otherwise return 517 * NT_STATUS_INVALID_LOGON_TYPE 518 */ 519 static uint32_t 520 smb_logon_anon(netr_client_t *clnt, smb_token_t *token) 521 { 522 if ((clnt->nt_password.nt_password_len == 0) && 523 (clnt->lm_password.lm_password_len == 0 || 524 (clnt->lm_password.lm_password_len == 1 && 525 *clnt->lm_password.lm_password_val == '\0'))) { 526 return (smb_token_setup_anon(token)); 527 } 528 529 return (NT_STATUS_INVALID_LOGON_TYPE); 530 } 531 532 /* 533 * Setup an access token for the specified local user. 534 */ 535 static uint32_t 536 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 537 { 538 idmap_stat stat; 539 smb_idmap_batch_t sib; 540 smb_idmap_t *umap, *gmap; 541 struct passwd pw; 542 char pwbuf[1024]; 543 char nbname[NETBIOS_NAME_SZ]; 544 545 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 546 token->tkn_account_name = strdup(smbpw->pw_name); 547 token->tkn_domain_name = strdup(nbname); 548 549 if (token->tkn_account_name == NULL || 550 token->tkn_domain_name == NULL) 551 return (NT_STATUS_NO_MEMORY); 552 553 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 554 return (NT_STATUS_NO_SUCH_USER); 555 556 /* Get the SID for user's uid & gid */ 557 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 558 if (stat != IDMAP_SUCCESS) 559 return (NT_STATUS_INTERNAL_ERROR); 560 561 umap = &sib.sib_maps[0]; 562 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 563 SMB_IDMAP_USER); 564 565 if (stat != IDMAP_SUCCESS) { 566 smb_idmap_batch_destroy(&sib); 567 return (NT_STATUS_INTERNAL_ERROR); 568 } 569 570 gmap = &sib.sib_maps[1]; 571 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 572 SMB_IDMAP_GROUP); 573 574 if (stat != IDMAP_SUCCESS) { 575 smb_idmap_batch_destroy(&sib); 576 return (NT_STATUS_INTERNAL_ERROR); 577 } 578 579 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS) 580 return (NT_STATUS_INTERNAL_ERROR); 581 582 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 583 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 584 585 smb_idmap_batch_destroy(&sib); 586 587 if (token->tkn_user.i_sid == NULL || 588 token->tkn_primary_grp.i_sid == NULL) 589 return (NT_STATUS_NO_MEMORY); 590 591 return (smb_token_setup_wingrps(token)); 592 } 593 594 /* 595 * Setup access token for an anonymous connection 596 */ 597 static uint32_t 598 smb_token_setup_anon(smb_token_t *token) 599 { 600 char nbname[NETBIOS_NAME_SZ]; 601 smb_sid_t *user_sid; 602 603 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 604 token->tkn_account_name = strdup("Anonymous"); 605 token->tkn_domain_name = strdup("NT Authority"); 606 user_sid = smb_wka_get_sid("Anonymous"); 607 token->tkn_user.i_sid = smb_sid_dup(user_sid); 608 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 609 token->tkn_flags = SMB_ATF_ANON; 610 611 if (token->tkn_account_name == NULL || 612 token->tkn_domain_name == NULL || 613 token->tkn_user.i_sid == NULL || 614 token->tkn_primary_grp.i_sid == NULL) 615 return (NT_STATUS_NO_MEMORY); 616 617 return (smb_token_setup_wingrps(token)); 618 } 619 620 /* 621 * smb_token_user_sid 622 * 623 * Return a pointer to the user SID in the specified token. A null 624 * pointer indicates an error. 625 */ 626 static smb_sid_t * 627 smb_token_user_sid(smb_token_t *token) 628 { 629 return ((token) ? token->tkn_user.i_sid : NULL); 630 } 631 632 /* 633 * smb_token_group_sid 634 * 635 * Return a pointer to the group SID as indicated by the iterator. 636 * Setting the iterator to 0 before calling this function will return 637 * the first group, which will always be the primary group. The 638 * iterator will be incremented before returning the SID so that this 639 * function can be used to cycle through the groups. The caller can 640 * adjust the iterator as required between calls to obtain any specific 641 * group. 642 * 643 * On success a pointer to the appropriate group SID will be returned. 644 * Otherwise a null pointer will be returned. 645 */ 646 static smb_sid_t * 647 smb_token_group_sid(smb_token_t *token, int *iterator) 648 { 649 int index; 650 651 if (token == NULL || iterator == NULL) 652 return (NULL); 653 654 if (token->tkn_win_grps.i_ids == NULL) 655 return (NULL); 656 657 index = *iterator; 658 659 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 660 return (NULL); 661 662 ++(*iterator); 663 return (token->tkn_win_grps.i_ids[index].i_sid); 664 } 665 666 /* 667 * smb_token_is_member 668 * 669 * This function will determine whether or not the specified SID is a 670 * member of a token. The user SID and all group SIDs are tested. 671 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 672 */ 673 static boolean_t 674 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 675 { 676 smb_sid_t *tsid; 677 int iterator = 0; 678 679 if (token == NULL || sid == NULL) 680 return (B_FALSE); 681 682 tsid = smb_token_user_sid(token); 683 while (tsid) { 684 if (smb_sid_cmp(tsid, sid)) 685 return (B_TRUE); 686 687 tsid = smb_token_group_sid(token, &iterator); 688 } 689 690 return (B_FALSE); 691 } 692 693 /* 694 * smb_token_log 695 * 696 * Diagnostic routine to write the contents of a token to the log. 697 */ 698 void 699 smb_token_log(smb_token_t *token) 700 { 701 smb_ids_t *w_grps; 702 smb_id_t *grp; 703 smb_posix_grps_t *x_grps; 704 char sidstr[SMB_SID_STRSZ]; 705 int i; 706 707 if (token == NULL) 708 return; 709 710 syslog(LOG_DEBUG, "Token for %s\\%s", 711 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 712 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 713 714 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 715 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 716 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 717 token->tkn_user.i_id); 718 719 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 720 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 721 sidstr, token->tkn_owner.i_id); 722 723 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 724 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 725 sidstr, token->tkn_primary_grp.i_id); 726 727 w_grps = &token->tkn_win_grps; 728 if (w_grps->i_ids) { 729 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 730 grp = w_grps->i_ids; 731 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 732 syslog(LOG_DEBUG, 733 " Grp[%d].Attr:%d", i, grp->i_attrs); 734 if (grp->i_sid != NULL) { 735 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 736 syslog(LOG_DEBUG, 737 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 738 grp->i_id); 739 } 740 } 741 } else { 742 syslog(LOG_DEBUG, " No Windows groups"); 743 } 744 745 x_grps = token->tkn_posix_grps; 746 if (x_grps) { 747 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 748 for (i = 0; i < x_grps->pg_ngrps; i++) 749 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 750 } else { 751 syslog(LOG_DEBUG, " No Solaris groups"); 752 } 753 754 if (token->tkn_privileges) 755 smb_privset_log(token->tkn_privileges); 756 else 757 syslog(LOG_DEBUG, " No privileges"); 758 } 759 760 /* 761 * Sets up local and well-known group membership for the given 762 * token. Two assumptions have been made here: 763 * 764 * a) token already contains a valid user SID so that group 765 * memberships can be established 766 * 767 * b) token belongs to a local or anonymous user 768 */ 769 static uint32_t 770 smb_token_setup_wingrps(smb_token_t *token) 771 { 772 smb_ids_t tkn_grps; 773 uint32_t status; 774 775 776 /* 777 * We always want the user's primary group in the list 778 * of groups. 779 */ 780 tkn_grps.i_cnt = 1; 781 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 782 return (NT_STATUS_NO_MEMORY); 783 784 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 785 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 786 if (tkn_grps.i_ids->i_sid == NULL) { 787 smb_ids_free(&tkn_grps); 788 return (NT_STATUS_NO_MEMORY); 789 } 790 791 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 792 if (status != NT_STATUS_SUCCESS) { 793 smb_ids_free(&tkn_grps); 794 return (status); 795 } 796 797 if ((token->tkn_flags & SMB_ATF_ANON) == 0) { 798 status = smb_wka_token_groups(B_FALSE, &tkn_grps); 799 if (status != NT_STATUS_SUCCESS) { 800 smb_ids_free(&tkn_grps); 801 return (status); 802 } 803 } 804 805 token->tkn_win_grps = tkn_grps; 806 return (status); 807 } 808