xref: /titanic_41/usr/src/lib/smbsrv/libsmbns/common/smbns_browser.c (revision e521049d0fdbd76727f036cb77c99c98d7ee1125)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/tzfile.h>
26 #include <errno.h>
27 #include <stdlib.h>
28 #include <stdio.h>
29 #include <unistd.h>
30 #include <syslog.h>
31 #include <string.h>
32 #include <strings.h>
33 #include <time.h>
34 #include <synch.h>
35 #include <netdb.h>
36 #include <sys/socket.h>
37 #include <arpa/inet.h>
38 
39 #include <smbsrv/libsmb.h>
40 #include <smbsrv/libsmbns.h>
41 #include <smbsrv/smb.h>
42 #include <smbsrv/mailslot.h>
43 #include <smbns_browser.h>
44 #include <smbns_netbios.h>
45 
46 /*
47  * ntdomain_info
48  * Temporary. It should be removed once NBTD is integrated.
49  */
50 smb_ntdomain_t ntdomain_info;
51 mutex_t ntdomain_mtx;
52 cond_t ntdomain_cv;
53 
54 #define	SMB_SERVER_SIGNATURE		0xaa550415
55 
56 typedef struct smb_hostinfo {
57 	list_node_t	hi_lnd;
58 	smb_nic_t	hi_nic;
59 	char		hi_nbname[NETBIOS_NAME_SZ];
60 	name_entry_t	hi_netname;
61 	uint32_t	hi_nextannouce;
62 	int		hi_reps;
63 	int		hi_interval;
64 	uint8_t		hi_updatecnt;
65 	uint32_t	hi_type;
66 	smb_version_t	hi_version;
67 } smb_hostinfo_t;
68 
69 typedef struct smb_browserinfo {
70 	list_t		bi_hlist;
71 	int		bi_hcnt;
72 	rwlock_t	bi_hlist_rwl;
73 	boolean_t	bi_changed;
74 	mutex_t		bi_mtx;
75 } smb_browserinfo_t;
76 
77 static smb_browserinfo_t smb_binfo;
78 
79 static int smb_browser_init(void);
80 static void smb_browser_infoinit(void);
81 static void smb_browser_infoterm(void);
82 static void smb_browser_infofree(void);
83 
84 
85 void
86 smb_browser_reconfig(void)
87 {
88 	(void) mutex_lock(&smb_binfo.bi_mtx);
89 	smb_binfo.bi_changed = B_TRUE;
90 	(void) mutex_unlock(&smb_binfo.bi_mtx);
91 }
92 
93 /*
94  * 3. Browser Overview
95  *
96  * Hosts involved in the browsing process can be separated into two
97  * distinct groups, browser clients and browser servers (often referred to
98  * simply as "browsers").
99  *
100  * A browser is a server which maintains information about servers -
101  * primarily the domain they are in and the services that they are running
102  * -- and about domains. Browsers may assume several different roles in
103  * their lifetimes, and dynamically switch between them.
104  *
105  *  Browser clients are of two types: workstations and (non-browser)
106  * servers. In the context of browsing, workstations query browsers for the
107  * information they contain; servers supply browsers the information by
108  * registering with them. Note that, at times, browsers may themselves
109  * behave as browser clients and query other browsers.
110  *
111  * For the purposes of this specification, a domain is simply a name with
112  * which to associate a group of resources such as computers, servers and
113  * users. Domains allow a convenient means for browser clients to restrict
114  * the scope of a search when they query browser servers. Every domain has
115  * a "master" server called the Primary Domain Controller (PDC) that
116  * manages various  activities within the domain.
117  *
118  * One browser for each domain on a subnet is designated the Local Master
119  * Browser for that domain. Servers in its domain on the subnet register
120  * with it, as do the Local Master Browsers for other domains on the
121  * subnet. It uses these registrations to maintain authoritative
122  * information about its domain on its subnet. If there are other subnets
123  * in the network, it also knows the name of the server running the
124  * domain's Domain Master Browser; it registers with it, and uses it to
125  * obtain information about the rest of the network (see below).
126  *
127  * Clients on a subnet query browsers designated as the Backup Browsers for
128  * the subnet (not the Master Browser). Backup Browsers maintain a copy of
129  * the information on the Local Master Browser; they get it by periodically
130  * querying the Local Master Browser for all of its information. Clients
131  * find the Backup Browsers by asking the Local Master Browser. Clients are
132  * expected to spread their queries evenly across Backup Browsers to
133  * balance the load.
134  *
135  * The Local Master Browser is dynamically elected automatically. Multiple
136  * Backup Browser Servers may exist per subnet; they are selected from
137  * among the potential browser servers by the Local Master Browser, which
138  * is configured to select enough to handle the expected query load.
139  *
140  * When there are multiple subnets, a Domain Master Browser is assigned
141  * the task of keeping the multiple subnets in synchronization. The Primary
142  * Domain Controller (PDC) always acts as the Domain Master Browser. The
143  * Domain Master Browser periodically acts as a client and queries all the
144  * Local Master Browsers for its domain, asking them for a list containing
145  * all the domains and all the servers in their domain known within their
146  * subnets; it merges all the replies into a single master list. This
147  * allows a Domain Master Browser server to act as a collection point for
148  * inter-subnet browsing information. Local Master Browsers periodically
149  * query the Domain Master Browser to retrieve the network-wide information
150  * it maintains.
151  *
152  * When a domain spans only a single subnet, there will not be any distinct
153  * Local Master Browser; this role will be handled by the Domain Master
154  * Browser. Similarly, the Domain Master Browser is always the Local Master
155  * Browser for the subnet it is on.
156  *
157  * When a browser client suspects that the Local Master Browser has failed,
158  * the client will instigate an election in which the browser servers
159  * participate, and some browser servers may change roles.
160  *
161  * Some characteristics of a good browsing mechanism include:
162  * . minimal network traffic
163  * . minimum server discovery time
164  * . minimum change discovery latency
165  * . immunity to machine failures
166  *
167  * Historically, Browser implementations had been very closely tied to
168  * NETBIOS and datagrams. The early implementations caused a lot of
169  * broadcast traffic. See Appendix D for an overview that presents how the
170  * Browser specification evolved.
171  *
172  * 4. Browsing Protocol Architecture
173  *
174  * This section first describes the how the browsing protocol is layered,
175  * then describes the roles of clients, servers, and browsers in the
176  * browsing subsystem.
177  *
178  * 4.1 Layering of Browsing Protocol Requests
179  *
180  * Most of the browser functionality is implemented using mailslots.
181  * Mailslots provide a mechanism for fast, unreliable unidirectional data
182  * transfer; they are named via ASCII "mailslot (path) name". Mailslots are
183  * implemented using the CIFS Transact SMB which is encapsulated in a
184  * NETBIOS datagram. Browser protocol requests are sent to browser specific
185  * mailslots using some browser-specific NETBIOS names. These datagrams can
186  * either be unicast or broadcast, depending on whether the NETBIOS name is
187  * a "unique name" or a "group name". Various data structures, which are
188  * detailed subsequently within this document, flow as the data portion of
189  * the Transact SMB.
190  *
191  * Here is an example of a generic browser SMB, showing how a browser
192  * request is encapsulated in a TRANSACT SMB request. Note that the PID,
193  * TID, MID, UID, and Flags are all 0 in mailslot requests.
194  *
195  * SMB: C transact, File = \MAILSLOT\BROWSE
196  *   SMB: SMB Status = Error Success
197  *     SMB: Error class = No Error
198  *     SMB: Error code = No Error
199  *   SMB: Header: PID = 0x0000 TID = 0x0000 MID = 0x0000 UID = 0x0000
200  *     SMB: Tree ID   (TID) = 0 (0x0)
201  *     SMB: Process ID  (PID) = 0 (0x0)
202  *     SMB: User ID   (UID) = 0 (0x0)
203  *     SMB: Multiplex ID (MID) = 0 (0x0)
204  *     SMB: Flags Summary = 0 (0x0)
205  *   SMB: Command = C transact
206  *     SMB: Word count = 17
207  *     SMB: Word parameters
208  *     SMB: Total parm bytes = 0
209  *     SMB: Total data bytes = 33
210  *     SMB: Max parm bytes = 0
211  *     SMB: Max data bytes = 0
212  *     SMB: Max setup words = 0
213  *     SMB: Transact Flags Summary = 0 (0x0)
214  *       SMB: ...............0 = Leave session intact
215  *       SMB: ..............0. = Response required
216  *     SMB: Transact timeout = 0 (0x0)
217  *     SMB: Parameter bytes = 0 (0x0)
218  *     SMB: Parameter offset = 0 (0x0)
219  *     SMB: Data bytes = 33 (0x21)
220  *     SMB: Data offset = 86 (0x56)
221  *     SMB: Setup word count = 3
222  *     SMB: Setup words
223  *     SMB: Mailslot opcode = Write mailslot
224  *     SMB: Transaction priority = 1
225  *     SMB: Mailslot class = Unreliable (broadcast)
226  *     SMB: Byte count = 50
227  *     SMB: Byte parameters
228  *     SMB: Path name = \MAILSLOT\BROWSE
229  *     SMB: Transaction data
230  *   SMB: Data: Number of data bytes remaining = 33 (0x0021)
231  *
232  * Note the SMB command is Transact, the opcode within the Transact SMB is
233  * Mailslot Write, and the browser data structure is carried as the
234  * Transact data.
235  * The Transaction data begins with an opcode, that signifies the operation
236  * and determines the size and structure of data that follows. This opcode
237  * is named as per one of the below:
238  *
239  * HostAnnouncement         1
240  * AnnouncementRequest      2
241  * RequestElection          8
242  * GetBackupListReq         9
243  * GetBackupListResp        10
244  * BecomeBackup             11
245  * DomainAnnouncment        12
246  * MasterAnnouncement       13
247  * LocalMasterAnnouncement  15
248  *
249  * Browser datagrams are often referred to as simply browser frames. The
250  * frames are in particular, referred to by the name of the opcode within
251  * the Transaction data e.g. a GetBackupListReq browser frame, a
252  * RequestElection browser frame, etc.
253  *
254  * The structures that are sent as the data portion of the Transact SMB are
255  * described in section(s) 6.2 through 6.12 in this document. These
256  * structures are tightly packed, i.e. there are no intervening pad bytes
257  * in the structure, unless they are explicitly described as being there.
258  * All quantities are sent in native Intel format and multi-byte values are
259  * transmitted least significant byte first.
260  *
261  * Besides mailslots and Transaction SMBs, the other important piece of the
262  * browser architecture is the NetServerEnum2 request. This request that
263  * allows an application to interrogate a Browser Server and obtain a
264  * complete list of resources (servers, domains, etc) known to that Browser
265  * server. Details of the NetServerEnum2 request are presented in section
266  * 6.4. Some examples of the NetServerEnum2 request being used are when a
267  * Local Master Browser sends a NetServerEnum2 request to the Domain Master
268  * Browser and vice versa. Another example is when a browser client sends a
269  * NetServerEnum2 request to a Backup Browser server.
270  *
271  * 4.3 Non-Browser Server
272  *
273  * A non-browser server is a server that has some resource(s) or service(s)
274  * it wishes to advertise as being available using the browsing protocol.
275  * Examples of non-browser servers would be an SQL server, print server,
276  * etc.
277  *
278  * A non-browser server MUST periodically send a HostAnnouncement browser
279  * frame, specifying the type of resources or services it is advertising.
280  * Details are in section 6.5.
281  *
282  * A non-browser server SHOULD announce itself relatively frequently when
283  * it first starts up in order to make its presence quickly known to the
284  * browsers and thence to potential clients. The frequency of the
285  * announcements SHOULD then be gradually stretched, so as to minimize
286  * network traffic. Typically,  non-browser servers announce themselves
287  * once every minute upon start up and then gradually adjust the frequency
288  * of the announcements to once every 12 minutes.
289  *
290  * A non-browser server SHOULD send a HostAnnouncement browser frame
291  * specifying a type of  0 just prior to shutting down, to allow it to
292  * quickly be removed from the list of available servers.
293  *
294  * A non-browser server MUST receive and process AnnouncementRequest frames
295  * from the Local Master Browser, and MUST respond with a HostAnnouncement
296  * frame, after a delay chosen randomly from the interval [0,30] seconds.
297  * AnnouncementRequests typically happen when a Local Master Browser starts
298  * up with an empty list of servers for the domain, and wants to fill it
299  * quickly. The 30 second range for responses prevents the Master Browser
300  * from becoming overloaded and losing replies, as well as preventing the
301  * network from being flooded with responses.
302  *
303  * 4.4  Browser Servers
304  *
305  * The following sections describe the roles of the various types of
306  * browser servers.
307  *
308  * 4.4.1  Potential Browser Server
309  *
310  * A Potential Browser server is a browser server that is capable of being
311  * a Backup Browser server or Master Browser server, but is not currently
312  * fulfilling either of those roles.
313  *
314  * A Potential Browser MUST set type SV_TYPE_POTENTIAL_BROWSER (see section
315  * 6.4.1) in its HostAnnouncement until it is ready to shut down. In its
316  * last HostAnnouncement frame before it shuts down, it SHOULD specify a
317  * type of  0.
318  *
319  * A Potential Browser server MUST receive and process BecomeBackup frames
320  * (see section 6.9) and become a backup browser upon their receipt.
321  *
322  * A Potential Browser MUST participate in browser elections (see section
323  * 6.8).
324  *
325  * 4.4.2  Backup Browser
326  *
327  * Backup Browser servers are a subset of the Potential Browsers that have
328  * been chosen by the Master Browser on their subnet to be the Backup
329  * Browsers for the subnet.
330  *
331  * A Backup Browser MUST set type SV_TYPE_BACKUP_BROWSER (see section
332  * 6.4.1) in its HostAnnouncement until it is ready to shut down. In its
333  * last HostAnnouncement frame before it shuts down, it SHOULD specify a
334  * type of  0.
335  *
336  * A Backup Browser MUST listen for a LocalMasterAnnouncement frame (see
337  * section 6.10) from the Local Master Browser, and use it to set the name
338  * of the Master Browser it queries for the server and domain lists.
339  *
340  * A  Backup Browsers MUST periodically make a NetServerEnum2 request of
341  * the Master Browser on its subnet for its domain to get a list of servers
342  * in that domain, as well as a list of domains. The period is a
343  * configuration option balancing currency of the information with network
344  * traffic costs - a typical value is 15 minutes.
345  *
346  * A Backup Browser SHOULD force an election by sending a RequestElection
347  * frame (see section 6.7) if it does not get a response to its periodic
348  * NetServeEnum2 request to the Master Browser.
349  *
350  * A Backup Browser MUST receive and process NetServerEnum2 requests from
351  * browser clients, for its own domain and others. If the request is for a
352  * list of servers in its domain, or for a list of domains, it can answer
353  * from its internal lists. If the request is for a list of servers in a
354  * domain different than the one it serves, it sends a NetServerEnum2
355  * request to the Domain Master Browser for that domain (which it can in
356  * find in its list of domains and their Domain Master Browsers).
357  *
358  * A Backup Browser MUST participate in browser elections (see section
359  * 6.8).
360  *
361  * 4.4.3 Master Browser
362  *
363  * Master Browsers are responsible for:
364  * . indicating it is a Master Browser
365  * . receiving server announcements and building a list of such servers
366  *   and keeping it reasonably up-to-date.
367  * . returning lists of Backup Browsers to browser clients.
368  * . ensuring an appropriate number of Backup Browsers are available.
369  * . announcing their existence to other Master Browsers on their subnet,
370  *   to the Domain Master Browser for their domain, and to all browsers in
371  *   their domain on their subnet
372  * . forwarding requests for lists of servers on other domains to the
373  *   Master Browser for that domain
374  * . keeping a list of domains in its subnet
375  * . synchronizing with the Domain Master Browser (if any) for its domain
376  * . participating in browser elections
377  * . ensuring that there is only one Master Browser on its subnet
378  *
379  * A Master Browser MUST set type SV_TYPE_MASTER_BROWSER (see section
380  * 6.4.1) in its HostAnnouncement until it is ready to shut down. In its
381  * last HostAnnouncement frame before it shuts down, it SHOULD specify a
382  * type of  0.
383  *
384  * A Master Browser MUST receive and process HostAnnouncement frames from
385  * servers, adding the server name and other information to its servers
386  * list; it must mark them as "local" entries. Periodically, it MUST check
387  * all local server entries to see if a server's HostAnnouncement has timed
388  * out (no HostAnnouncement received for three times the periodicity the
389  * server gave in the last received HostAnnouncement) and remove timed-out
390  * servers from its list.
391  *
392  * A Master Browser MUST receive and process DomainAnnouncement frames (see
393  * section 6.12) and maintain the domain names and their associated (Local)
394  * Master Browsers in its internal domain list until they time out; it must
395  * mark these as "local" entries. Periodically, it MUST check all local
396  * domain entries to see if a server's DomainAnnouncement has timed out (no
397  * DomainAnnouncement received for three times the periodicity the server
398  * gave in the last received DomainAnnouncement) and remove timed-out
399  * servers from its list.
400  *
401  * A Master Browser MUST receive and process GetBackupListRequest frames
402  * from clients, returning GetBackupListResponse frames containing a list
403  * of the Backup Servers for its domain.
404  *
405  * A Master Browser MUST eventually send BecomeBackup frames (see section
406  * 6.9) to one or more Potential Browser servers to increase the number of
407  * Backup Browsers if there are not enough Backup Browsers to handle the
408  * anticipated query load. Note: possible good times for checking for
409  * sufficient backup browsers are after being elected, when timing out
410  * server HostAnnouncements, and when receiving a server's HostAnnouncement
411  * for the first time.
412  *
413  * A Master Browser MUST periodically announce itself and the domain it
414  * serves to other (Local) Master Browsers on its subnet, by sending a
415  * DomainAnnouncement frame (see section 6.12) to its subnet.
416  *
417  * A Master Browser MUST send a MasterAnnouncement frame (see section 6.11)
418  * to the Domain Master Browser after it is first elected, and periodically
419  * thereafter. This informs the Domain Master Browser of the presence of
420  * all the Master Browsers.
421  *
422  * A Master Browser MUST periodically announce itself to all browsers for
423  * its domain on its subnet by sending a LocalMasterAnnouncement frame (see
424  * section 6.10).
425  *
426  * A Master Browser MUST receive and process NetServerEnum2 requests from
427  * browser clients, for its own domain and others. If the request is for a
428  * list of servers in its domain, or for a list of domains, it can answer
429  * from its internal lists. Entries in its list marked "local" MUST have
430  * the SV_TYPE_LOCAL_LIST_ONLY bit set in the returned results; it must be
431  * clear for all other entries. If the request is for a list of servers in
432  * a domain different than the one it serves, it sends a NetServerEnum2
433  * request to the Domain Master Browser for that domain (which it can in
434  * find in its list of domains and their Domain Master Browsers).
435  *
436  *     Note: The list of servers that the Master Browser maintains and
437  *     returns to the Backup Browsers, is limited in size to 64K of
438  *     data. This will limit the number of systems that can be in a
439  *     browse list in a single workgroup or domain to approximately two
440  *     thousand systems.
441  *
442  * A Master Browser SHOULD request all servers to register with it by
443  * sending an AnnouncementRequest frame, if, on becoming the Master Browser
444  * by winning an election, its server list is empty. Otherwise, clients
445  * might get an incomplete list of servers until the servers' periodic
446  * registrations fill the server list.
447  *
448  * If the Master Browser on a subnet is not the Primary Domain Controller
449  * (PDC), then it is a Local Master Browser.
450  *
451  * A Local Master Browser MUST periodically synchronize with the Domain
452  * Master Browser (which is the PDC). This synchronization is performed by
453  * making a NetServerEnum2 request to the Domain Master Browser and merging
454  * the results with its list of servers and domains. An entry from the
455  * Domain Master Browser should be marked "non-local", and must not
456  * overwrite an entry with the same name marked "local". The Domain Master
457  * Browser is located as specified in Appendix B.
458  *
459  * A Master Browser MUST participate in browser elections (see section
460  * 6.8).
461  *
462  * A Master Browser MUST, if it receives a HostAnnouncement,
463  * DomainAnnouncement, or LocalMasterAnnouncement frame another system that
464  * claims to be the Master Browser for its domain, demote itself from
465  * Master Browser and force an election. This ensures that there is only
466  * ever one Master Browser in each workgroup or domain.
467  *
468  * A Master Browser SHOULD, if it loses an election, become a Backup
469  * Browser (without being told to do so by the new Master Browser). Since
470  * it has more up-to-date information in its lists than a Potential
471  * Browser, it is more efficient to have it be a Backup Browser than to
472  * promote a Potential Browser.
473  *
474  * 4.4.3.1 Preferred Master Browser
475  *
476  * A Preferred Master Browser supports exactly the same protocol elements
477  * as a Potential Browser, except as follows.
478  *
479  * A Preferred Master Browser MUST always force an election when it starts
480  * up.
481  *
482  * A Preferred Master Browser MUST participate in browser elections (see
483  * section 6.8).
484  *
485  * A Preferred Master Browser MUST set the Preferred Master bit in the
486  * RequestElection frame (see section 6.7) to bias the election in its
487  * favor.
488  *
489  * A Preferred Master Browser SHOULD, if it loses an election,
490  * automatically become a Backup Browser, without being told to do so by
491  * the Master Browser.
492  *
493  * 4.4.4 Domain Master Browser
494  *
495  * Since the Domain Master Browser always runs on the PDC, it must
496  * implement all the protocols required of a PDC in addition to the
497  * browsing protocol, and that is way beyond the scope of this
498  * specification.
499  *
500  * 5. Mailslot Protocol Specification
501  *
502  * The only transaction allowed to a mailslot is a mailslot write. Mailslot
503  * writes requests are encapsulated in TRANSACT SMBs. The following table
504  * shows the interpretation of the TRANSACT SMB parameters for a mailslot
505  * transaction:
506  *
507  *  Name            Value               Description
508  *  Command         SMB_COM_TRANSACTION
509  *  Name            <name>              STRING name of mail slot to write;
510  *                                      must start with "\\MAILSLOT\\"
511  *  SetupCount      3                   Always 3 for mailslot writes
512  *  Setup[0]        1                   Command code == write mailslot
513  *  Setup[1]        Ignored
514  *  Setup[2]        Ignored
515  *  TotalDataCount  n                   Size of data in bytes to write to
516  *                                      the mailslot
517  *  Data[ n ]                           The data to write to the mailslot
518  *
519  */
520 
521 /*
522  * SMB: C transact, File = \MAILSLOT\BROWSE
523  *   SMB: SMB Status = Error Success
524  *     SMB: Error class = No Error
525  *     SMB: Error code = No Error
526  *   SMB: Header: PID = 0x0000 TID = 0x0000 MID = 0x0000 UID = 0x0000
527  *     SMB: Tree ID   (TID) = 0 (0x0)
528  *     SMB: Process ID  (PID) = 0 (0x0)
529  *     SMB: User ID   (UID) = 0 (0x0)
530  *     SMB: Multiplex ID (MID) = 0 (0x0)
531  *     SMB: Flags Summary = 0 (0x0)
532  *   SMB: Command = C transact
533  *     SMB: Word count = 17
534  *     SMB: Word parameters
535  *     SMB: Total parm bytes = 0
536  *     SMB: Total data bytes = 33
537  *     SMB: Max parm bytes = 0
538  *     SMB: Max data bytes = 0
539  *     SMB: Max setup words = 0
540  *     SMB: Transact Flags Summary = 0 (0x0)
541  *       SMB: ...............0 = Leave session intact
542  *       SMB: ..............0. = Response required
543  *     SMB: Transact timeout = 0 (0x0)
544  *     SMB: Parameter bytes = 0 (0x0)
545  *     SMB: Parameter offset = 0 (0x0)
546  *     SMB: Data bytes = 33 (0x21)
547  *     SMB: Data offset = 86 (0x56)
548  *     SMB: Setup word count = 3
549  *     SMB: Setup words
550  *     SMB: Mailslot opcode = Write mailslot
551  *     SMB: Transaction priority = 1
552  *     SMB: Mailslot class = Unreliable (broadcast)
553  *     SMB: Byte count = 50
554  *     SMB: Byte parameters
555  *     SMB: Path name = \MAILSLOT\BROWSE
556  *     SMB: Transaction data
557  *   SMB: Data: Number of data bytes remaining = 33 (0x0021)
558  *
559  * 5. Mailslot Protocol Specification
560  *
561  * The only transaction allowed to a mailslot is a mailslot write. Mailslot
562  * writes requests are encapsulated in TRANSACT SMBs. The following table
563  * shows the interpretation of the TRANSACT SMB parameters for a mailslot
564  * transaction:
565  *
566  *  Name            Value               Description
567  *  Command         SMB_COM_TRANSACTION
568  *  Name            <name>              STRING name of mail slot to write;
569  *                                      must start with "\MAILSLOT\"
570  *  SetupCount      3                   Always 3 for mailslot writes
571  *  Setup[0]        1                   Command code == write mailslot
572  *  Setup[1]        Ignored
573  *  Setup[2]        Ignored
574  *  TotalDataCount  n                   Size of data in bytes to write to
575  *                                      the mailslot
576  *  Data[ n ]                           The data to write to the mailslot
577  *
578  *	Magic		0xFF 'S' 'M' 'B'
579  *	smb_com 	a byte, the "first" command
580  *	Error		a 4-byte union, ignored in a request
581  *	smb_flg		a one byte set of eight flags
582  *	smb_flg2	a two byte set of 16 flags
583  *	.		twelve reserved bytes, have a role
584  *			in connectionless transports (IPX, UDP?)
585  *	smb_tid		a 16-bit tree ID, a mount point sorta,
586  *			0xFFFF is this command does not have
587  *			or require a tree context
588  *	smb_pid		a 16-bit process ID
589  *	smb_uid		a 16-bit user ID, specific to this "session"
590  *			and mapped to a system (bona-fide) UID
591  *	smb_mid		a 16-bit multiplex ID, used to differentiate
592  *			multiple simultaneous requests from the same
593  *			process (pid) (ref RPC "xid")
594  */
595 
596 int
597 smb_browser_load_transact_header(unsigned char *buffer, int maxcnt,
598     int data_count, int reply, char *mailbox)
599 {
600 	smb_msgbuf_t mb;
601 	int	mailboxlen;
602 	char *fmt;
603 	int result;
604 	short	class = (reply == ONE_WAY_TRANSACTION) ? 2 : 0;
605 
606 	/*
607 	 * If the mailboxlen is an even number we need to pad the
608 	 * header so that the data starts on a word boundary.
609 	 */
610 	fmt = "Mb4.bw20.bwwwwb.wl2.wwwwb.wwwws";
611 	mailboxlen = strlen(mailbox) + 1;
612 
613 	if ((mailboxlen & 0x01) == 0) {
614 		++mailboxlen;
615 		fmt = "Mb4.bw20.bwwwwb.wl2.wwwwb.wwwws.";
616 	}
617 
618 	bzero(buffer, maxcnt);
619 	smb_msgbuf_init(&mb, buffer, maxcnt, 0);
620 
621 	result = smb_msgbuf_encode(&mb, fmt,
622 	    SMB_COM_TRANSACTION,	/* Command */
623 	    0x18,
624 	    0x3,
625 	    17,				/* Count of parameter words */
626 	    0,				/* Total Parameter words sent */
627 	    data_count,			/* Total Data bytes sent */
628 	    2,				/* Max Parameters to return */
629 	    0,				/* Max data bytes to return */
630 	    0,				/* Max setup bytes to return */
631 	    reply,			/* No reply */
632 	    0xffffffff,			/* Timeout */
633 	    0,				/* Parameter bytes sent */
634 	    0,				/* Parameter offset */
635 	    data_count,			/* Data bytes sent */
636 	    69 + mailboxlen,		/* Data offset */
637 	    3,				/* Setup word count */
638 	    1,				/* Setup word[0] */
639 	    0,				/* Setup word[1] */
640 	    class,			/* Setup word[2] */
641 	    mailboxlen + data_count,	/* Total request bytes */
642 	    mailbox);			/* Mailbox address */
643 
644 	smb_msgbuf_term(&mb);
645 	return (result);
646 }
647 
648 static int
649 smb_browser_addr_of_subnet(struct name_entry *name, smb_hostinfo_t *hinfo,
650     struct name_entry *result)
651 {
652 	uint32_t ipaddr, mask, saddr;
653 	addr_entry_t *addr;
654 
655 	if (name == NULL)
656 		return (-1);
657 
658 	if (hinfo->hi_nic.nic_smbflags & SMB_NICF_ALIAS)
659 		return (-1);
660 
661 	ipaddr = hinfo->hi_nic.nic_ip.a_ipv4;
662 	mask = hinfo->hi_nic.nic_mask;
663 
664 	*result = *name;
665 	addr = &name->addr_list;
666 	do {
667 		saddr = addr->sin.sin_addr.s_addr;
668 		if ((saddr & mask) == (ipaddr & mask)) {
669 			*result = *name;
670 			result->addr_list = *addr;
671 			result->addr_list.forw = result->addr_list.back =
672 			    &result->addr_list;
673 			return (0);
674 		}
675 		addr = addr->forw;
676 	} while (addr != &name->addr_list);
677 
678 	return (-1);
679 }
680 
681 
682 static int
683 smb_browser_bcast_addr_of_subnet(struct name_entry *name, uint32_t bcast,
684     struct name_entry *result)
685 {
686 	if (name != NULL && name != result)
687 		*result = *name;
688 
689 	result->addr_list.sin.sin_family = AF_INET;
690 	result->addr_list.sinlen = sizeof (result->addr_list.sin);
691 	result->addr_list.sin.sin_addr.s_addr = bcast;
692 	result->addr_list.sin.sin_port = htons(IPPORT_NETBIOS_DGM);
693 	result->addr_list.forw = result->addr_list.back = &result->addr_list;
694 	return (0);
695 }
696 
697 /*
698  * 6.5 HostAnnouncement Browser Frame
699  *
700  * To advertise its presence, i.e. to publish itself as being available, a
701  * non-browser server sends a HostAnnouncement browser frame. If the server
702  * is a member of domain "D", this frame is sent to the NETBIOS unique name
703  * D(1d) and mailslot "\\MAILSLOT\\BROWSE". The definition of  the
704  * HostAnnouncement frame is:
705  *
706  *     struct {
707  *         unsigned short  Opcode;
708  *         unsigned char   UpdateCount;
709  *         uint32_t   Periodicity;
710  *         unsigned char   ServerName[];
711  *         unsigned char   VersionMajor;
712  *         unsigned char   VersionMinor;
713  *         uint32_t   Type;
714  *         uint32_t   Signature;
715  *         unsigned char   Comment[];
716  *     }
717  *
718  * where:
719  *      Opcode - Identifies this structure as a browser server
720  *          announcement and is defined as HostAnnouncement with a
721  *          value of decimal 1.
722  *
723  *      UpdateCount - must be sent as zero and ignored on receipt.
724  *
725  *      Periodicity - The announcement frequency of the server (in
726  *          seconds). The server will be removed from the browse list
727  *          if it has not been heard from in 3X its announcement
728  *          frequency. In no case will the server be removed from the
729  *          browse list before the period 3X has elapsed. Actual
730  *          implementations may take more than 3X to actually remove
731  *          the server from the browse list.
732  *
733  *      ServerName - Null terminated ASCII server name (up to 16 bytes
734  *          in length).
735  *
736  *      VersionMajor - The major version number of the OS the server
737  *          is running. it will be returned by NetServerEnum2.
738  *
739  *      VersionMinor - The minor version number of the OS the server
740  *          is running. This is entirely informational and does not
741  *          have any significance for the browsing protocol.
742  *
743  *      Type - Specifies the type of the server. The server type bits
744  *          are specified in the NetServerEnum2 section.
745  *
746  *      Signature -  The browser protocol minor version number in the
747  *          low 8 bits, the browser protocol major version number in
748  *          the next higher 8 bits and the signature 0xaa55 in the
749  *          high 16 bits of this field. Thus, for this version of the
750  *          browser protocol (1.15) this field has the value
751  *          0xaa55010f. This may used to isolate browser servers that
752  *          are running out of revision browser software; otherwise,
753  *          it is ignored.
754  *
755  *      Comment - Null terminated ASCII comment for the server.
756  *          Limited to 43 bytes.
757  *
758  * When a non-browser server starts up, it announces itself in the manner
759  * described once every minute. The frequency of these statements is
760  * gradually stretched to once every 12 minutes.
761  *
762  * Note: older non-browser servers in a domain "D" sent HostAnnouncement
763  * frames to the NETBIOS group name D(00). Non-Browser servers supporting
764  * version 1.15 of the browsing protocol SHOULD NOT use this NETBIOS name,
765  * but for backwards compatibility Master Browsers MAY receive and process
766  * HostAnnouncement frames on this name as described above for D(1d).
767  */
768 
769 static void
770 smb_browser_send_HostAnnouncement(smb_hostinfo_t *hinfo,
771     uint32_t next_announcement, boolean_t remove,
772     addr_entry_t *addr, char suffix)
773 {
774 	smb_msgbuf_t mb;
775 	int offset, announce_len, data_length;
776 	struct name_entry dest_name;
777 	unsigned char *buffer;
778 	uint32_t type;
779 	char resource_domain[SMB_PI_MAX_DOMAIN];
780 
781 	if (smb_getdomainname(resource_domain, SMB_PI_MAX_DOMAIN) != 0)
782 		return;
783 	(void) smb_strupr(resource_domain);
784 
785 	if (addr == NULL) {
786 		/* Local master Browser */
787 		smb_init_name_struct((unsigned char *)resource_domain, suffix,
788 		    0, 0, 0, 0, 0, &dest_name);
789 		if (smb_browser_bcast_addr_of_subnet(0, hinfo->hi_nic.nic_bcast,
790 		    &dest_name) < 0)
791 			return;
792 	} else {
793 		smb_init_name_struct((unsigned char *)resource_domain, suffix,
794 		    0, 0, 0, 0, 0, &dest_name);
795 		dest_name.addr_list = *addr;
796 		dest_name.addr_list.forw = dest_name.addr_list.back =
797 		    &dest_name.addr_list;
798 	}
799 
800 	/* give some extra room */
801 	buffer = malloc(MAX_DATAGRAM_LENGTH * 2);
802 	if (buffer == NULL) {
803 		syslog(LOG_DEBUG, "smb browser: HostAnnouncement: %m");
804 		return;
805 	}
806 
807 	data_length = 1 + 1 + 4 + 16 + 1 + 1 + 4 + 4 +
808 	    strlen(hinfo->hi_nic.nic_cmnt) + 1;
809 
810 	offset = smb_browser_load_transact_header(buffer,
811 	    MAX_DATAGRAM_LENGTH, data_length, ONE_WAY_TRANSACTION,
812 	    MAILSLOT_BROWSE);
813 
814 	if (offset < 0) {
815 		free(buffer);
816 		return;
817 	}
818 
819 	/*
820 	 * A non-browser server SHOULD send a HostAnnouncement browser frame
821 	 * specifying a type of 0 just prior to shutting down, to allow it to
822 	 * quickly be removed from the list of available servers.
823 	 */
824 	if (remove || (!smb_netbios_running()))
825 		type = 0;
826 	else
827 		type = hinfo->hi_type;
828 
829 	smb_msgbuf_init(&mb, buffer + offset, MAX_DATAGRAM_LENGTH - offset, 0);
830 
831 	announce_len = smb_msgbuf_encode(&mb, "bbl16cbblls",
832 	    HOST_ANNOUNCEMENT,
833 	    ++hinfo->hi_updatecnt,
834 	    next_announcement * 60000,	/* Periodicity in MilliSeconds */
835 	    hinfo->hi_nbname,
836 	    (uint8_t)hinfo->hi_version.sv_major,
837 	    (uint8_t)hinfo->hi_version.sv_minor,
838 	    type,
839 	    SMB_SERVER_SIGNATURE,
840 	    hinfo->hi_nic.nic_cmnt);
841 
842 	if (announce_len > 0)
843 		(void) smb_netbios_datagram_send(&hinfo->hi_netname, &dest_name,
844 		    buffer, offset + announce_len);
845 
846 	free(buffer);
847 	smb_msgbuf_term(&mb);
848 }
849 
850 static void
851 smb_browser_process_AnnouncementRequest(struct datagram *datagram,
852     char *mailbox)
853 {
854 	smb_hostinfo_t *hinfo;
855 	uint32_t next_announcement;
856 	uint32_t delay = random() % 29; /* in seconds */
857 	boolean_t h_found = B_FALSE;
858 
859 	if (strcmp(mailbox, MAILSLOT_LANMAN) != 0) {
860 		syslog(LOG_DEBUG, "smb browser: wrong mailbox (%s)", mailbox);
861 		return;
862 	}
863 
864 	smb_netbios_sleep(delay);
865 
866 	(void) rw_rdlock(&smb_binfo.bi_hlist_rwl);
867 	hinfo = list_head(&smb_binfo.bi_hlist);
868 	while (hinfo) {
869 		if ((hinfo->hi_nic.nic_ip.a_ipv4 &
870 		    hinfo->hi_nic.nic_mask) ==
871 		    (datagram->src.addr_list.sin.sin_addr.s_addr &
872 		    hinfo->hi_nic.nic_mask)) {
873 			h_found = B_TRUE;
874 			break;
875 		}
876 		hinfo = list_next(&smb_binfo.bi_hlist, hinfo);
877 	}
878 
879 	if (h_found) {
880 		next_announcement = hinfo->hi_nextannouce * 60 * 1000;
881 		smb_browser_send_HostAnnouncement(hinfo, next_announcement,
882 		    B_FALSE, &datagram->src.addr_list, NBT_MB);
883 	}
884 	(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
885 }
886 
887 void *
888 smb_browser_dispatch(void *arg)
889 {
890 	struct datagram *datagram = (struct datagram *)arg;
891 	smb_msgbuf_t 	mb;
892 	int		rc;
893 	unsigned char	command;
894 	unsigned char	parameter_words;
895 	unsigned short	total_parameter_words;
896 	unsigned short	total_data_count;
897 	unsigned short	max_parameters_to_return;
898 	unsigned short	max_data_to_return;
899 	unsigned char	max_setup_bytes_to_return;
900 	unsigned short	reply;
901 	unsigned short	parameter_bytes_sent;
902 	unsigned short	parameter_offset;
903 	unsigned short	data_bytes_sent;
904 	unsigned short	data_offset;
905 	unsigned char	setup_word_count;
906 	unsigned short	setup_word_0;
907 	unsigned short	setup_word_1;
908 	unsigned short	setup_word_2;
909 	unsigned short	total_request_bytes;
910 	char 		*mailbox;
911 	unsigned char	message_type;
912 	unsigned char 	*data;
913 	int		datalen;
914 
915 	syslog(LOG_DEBUG, "smb browser: packet received");
916 
917 	smb_msgbuf_init(&mb, datagram->data, datagram->data_length, 0);
918 	rc = smb_msgbuf_decode(&mb, "Mb27.bwwwwb.w6.wwwwb.wwwws",
919 	    &command,			/* Command */
920 	    &parameter_words,		/* Count of parameter words */
921 	    &total_parameter_words,	/* Total Parameter words sent */
922 	    &total_data_count,		/* Total Data bytes sent */
923 	    &max_parameters_to_return,	/* Max Parameters to return */
924 	    &max_data_to_return,	/* Max data bytes to return */
925 	    &max_setup_bytes_to_return,	/* Max setup bytes to return */
926 	    &reply,			/* No reply */
927 	    &parameter_bytes_sent,	/* Parameter bytes sent */
928 	    &parameter_offset,		/* Parameter offset */
929 	    &data_bytes_sent,		/* Data bytes sent */
930 	    &data_offset,		/* Data offset */
931 	    &setup_word_count,		/* Setup word count */
932 	    &setup_word_0,		/* Setup word[0] */
933 	    &setup_word_1,		/* Setup word[1] */
934 	    &setup_word_2,		/* Setup word[2] */
935 	    &total_request_bytes,	/* Total request bytes */
936 	    &mailbox);			/* Mailbox address */
937 
938 	if (rc < 0) {
939 		syslog(LOG_ERR, "smb browser: decode error");
940 		smb_msgbuf_term(&mb);
941 		free(datagram);
942 		return (0);
943 	}
944 
945 	data = &datagram->data[data_offset];
946 	datalen = datagram->data_length - data_offset;
947 
948 	/*
949 	 * The PDC location protocol, i.e. anything on the \\NET
950 	 * mailslot, is handled by the smb_netlogon module.
951 	 */
952 	if (strncasecmp("\\MAILSLOT\\NET\\", mailbox, 14) == 0) {
953 		smb_netlogon_receive(datagram, mailbox, data, datalen);
954 		smb_msgbuf_term(&mb);
955 		free(datagram);
956 		return (0);
957 	}
958 
959 	/*
960 	 * If it's not a netlogon message, assume it's a browser request.
961 	 * This is not the most elegant way to extract the command byte
962 	 * but at least we no longer use it to get the netlogon opcode.
963 	 */
964 	message_type = datagram->data[data_offset];
965 
966 	switch (message_type) {
967 	case ANNOUNCEMENT_REQUEST :
968 		smb_browser_process_AnnouncementRequest(datagram, mailbox);
969 		break;
970 
971 	default:
972 		syslog(LOG_DEBUG, "smb browser: invalid message type(%d, %x)",
973 		    message_type, message_type);
974 		break;
975 	}
976 
977 	smb_msgbuf_term(&mb);
978 	free(datagram);
979 	return (0);
980 }
981 
982 
983 /*
984  * 11.1 Registered unique names
985  *
986  *  <COMPUTER>(00)
987  *     This name is used by all servers and clients to receive second
988  *     class mailslot messages. A system must add this name in order to
989  *     receive mailslot messages. The only browser requests that should
990  *     appear on this name are BecomeBackup, GetBackupListResp,
991  *     MasterAnnouncement, and LocalMasterAnnouncement frames. All other
992  *     datagrams (other than the expected non-browser datagrams) may be
993  *     ignored and an error logged.
994  *
995  *   <DOMAIN>(1d)
996  *     This name is used to identify a master browser server for domain
997  *     "DOMAIN" on a subnet.  A master browser server adds this name as a
998  *     unique NETBIOS name when it becomes master browser. If the attempt
999  *     to add the name fails, the master browser server assumes that there
1000  *     is another master in the domain and will fail to come up. It may
1001  *     log an error if the failure occurs more than 3 times in a row (this
1002  *     either indicates some form of network misconfiguration or a
1003  *     software error). The only requests that should appear on this name
1004  *     are GetBackupListRequest and HostAnnouncement requests. All other
1005  *     datagrams on this name may be ignored (and an error logged). If
1006  *     running a NETBIOS name service (NBNS, such as WINS), this name
1007  *     should not be registered with the NBNS.
1008  *
1009  *   <DOMAIN>(1b)
1010  *     This name is used to identify the Domain Master Browser for domain
1011  *     "DOMAIN" (which is also the primary domain controller). It is a
1012  *     unique name added only by the primary domain controller. The
1013  *     primary domain controller will respond to GetBackupListRequest on
1014  *     this name just as it responds to these requests on the <DOMAIN>(1d)
1015  *     name.
1016  *
1017  * 11.2 Registered group names
1018  *
1019  *   (01)(02)__MSBROWSE__(02)(01)
1020  *     This name is used by Master Browsers to announce themselves to the
1021  *     other Master Browsers on a subnet. It is added as a group name by
1022  *     all Master Browser servers. The only broadcasts that should appear
1023  *     on this name is DomainAnnouncement requests. All other datagrams
1024  *     can be ignored.
1025  *
1026  *   <DOMAIN>(00)
1027  *     This name is used by clients and servers in domain "DOMAIN" to
1028  *     process server announcements. The only requests that should appear
1029  *     on this name that the browser is interested in are
1030  *     AnnouncementRequest and NETLOGON_QUERY (to locate the PDC) packets.
1031  *     All other unidentifiable requests may be ignored (and an error
1032  *     logged).
1033  *
1034  *   <DOMAIN>(1E)
1035  *     This name is used for announcements to browsers for domain "DOMAIN"
1036  *     on a subnet. This name is registered by all the browser servers in
1037  *     the domain. The only requests that should appear on this name are
1038  *     RequestElection and AnnouncementRequest packets. All other
1039  *     datagrams may be ignored (and an error logged).
1040  *
1041  *   <DOMAIN>(1C)
1042  *     This name is registered by Primary Domain Controllers.
1043  */
1044 
1045 static void
1046 smb_browser_config(void)
1047 {
1048 	smb_hostinfo_t *hinfo;
1049 	struct name_entry	name;
1050 	struct name_entry	master;
1051 	struct name_entry	dest;
1052 	struct name_entry	*entry;
1053 	char resource_domain[SMB_PI_MAX_DOMAIN];
1054 	int rc;
1055 
1056 	if (smb_browser_init() != 0)
1057 		return;
1058 
1059 	if (smb_getdomainname(resource_domain, SMB_PI_MAX_DOMAIN) != 0)
1060 		return;
1061 	(void) smb_strupr(resource_domain);
1062 
1063 	/* domain<00> */
1064 	smb_init_name_struct((unsigned char *)resource_domain, NBT_WKSTA,
1065 	    0, 0, 0, 0, 0, &name);
1066 	entry = smb_name_find_name(&name);
1067 	smb_name_unlock_name(entry);
1068 
1069 	(void) rw_rdlock(&smb_binfo.bi_hlist_rwl);
1070 	hinfo = list_head(&smb_binfo.bi_hlist);
1071 	while (hinfo) {
1072 		smb_init_name_struct((unsigned char *)resource_domain,
1073 		    NBT_WKSTA, 0, hinfo->hi_nic.nic_ip.a_ipv4,
1074 		    htons(IPPORT_NETBIOS_DGM), NAME_ATTR_GROUP,
1075 		    NAME_ATTR_LOCAL, &name);
1076 		(void) smb_name_add_name(&name);
1077 
1078 		hinfo = list_next(&smb_binfo.bi_hlist, hinfo);
1079 	}
1080 	(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1081 
1082 	/* All our local master browsers */
1083 	smb_init_name_struct((unsigned char *)resource_domain, NBT_MB,
1084 	    0, 0, 0, 0, 0, &dest);
1085 	entry = smb_name_find_name(&dest);
1086 
1087 	if (entry) {
1088 		(void) rw_rdlock(&smb_binfo.bi_hlist_rwl);
1089 		hinfo = list_head(&smb_binfo.bi_hlist);
1090 		while (hinfo) {
1091 			rc = smb_browser_addr_of_subnet(entry, hinfo, &master);
1092 			if (rc == 0) {
1093 				syslog(LOG_DEBUG,
1094 				    "smb browser: master browser found at %s",
1095 				    inet_ntoa(master.addr_list.sin.sin_addr));
1096 			}
1097 			hinfo = list_next(&smb_binfo.bi_hlist, hinfo);
1098 		}
1099 		(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1100 
1101 		smb_name_unlock_name(entry);
1102 	}
1103 
1104 	/* Domain master browser */
1105 	smb_init_name_struct((unsigned char *)resource_domain,
1106 	    NBT_DMB, 0, 0, 0, 0, 0, &dest);
1107 
1108 	if ((entry = smb_name_find_name(&dest)) != 0) {
1109 		syslog(LOG_DEBUG,
1110 		    "smb browser: domain master browser for %s is %s",
1111 		    resource_domain,
1112 		    inet_ntoa(entry->addr_list.sin.sin_addr));
1113 		smb_name_unlock_name(entry);
1114 	}
1115 }
1116 
1117 static int
1118 smb_browser_init(void)
1119 {
1120 	smb_hostinfo_t *hinfo;
1121 	smb_niciter_t ni;
1122 	uint32_t type;
1123 	smb_version_t version;
1124 
1125 	smb_config_get_version(&version);
1126 
1127 	(void) rw_wrlock(&smb_binfo.bi_hlist_rwl);
1128 	smb_browser_infofree();
1129 
1130 	if (smb_nic_getfirst(&ni) != SMB_NIC_SUCCESS) {
1131 		(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1132 		return (-1);
1133 	}
1134 
1135 	type = MY_SERVER_TYPE;
1136 	if (smb_config_get_secmode() == SMB_SECMODE_DOMAIN)
1137 		type |= SV_DOMAIN_MEMBER;
1138 
1139 	do {
1140 		if ((ni.ni_nic.nic_smbflags & SMB_NICF_NBEXCL) ||
1141 		    (ni.ni_nic.nic_smbflags & SMB_NICF_ALIAS))
1142 			continue;
1143 
1144 		hinfo = malloc(sizeof (smb_hostinfo_t));
1145 		if (hinfo == NULL) {
1146 			smb_browser_infofree();
1147 			(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1148 			return (-1);
1149 		}
1150 
1151 		hinfo->hi_nic = ni.ni_nic;
1152 		/* One Minute announcements for first five */
1153 		hinfo->hi_nextannouce = 1;
1154 		hinfo->hi_interval = 1;
1155 		hinfo->hi_reps = 5;
1156 		hinfo->hi_updatecnt = 0;
1157 		hinfo->hi_type = type;
1158 		hinfo->hi_version = version;
1159 
1160 		/* This is the name used for HostAnnouncement */
1161 		(void) strlcpy(hinfo->hi_nbname, hinfo->hi_nic.nic_host,
1162 		    NETBIOS_NAME_SZ);
1163 		(void) smb_strupr(hinfo->hi_nbname);
1164 		/* 0x20: file server service  */
1165 		smb_init_name_struct((unsigned char *)hinfo->hi_nbname,
1166 		    NBT_SERVER, 0, hinfo->hi_nic.nic_ip.a_ipv4,
1167 		    htons(IPPORT_NETBIOS_DGM),
1168 		    NAME_ATTR_UNIQUE, NAME_ATTR_LOCAL,
1169 		    &hinfo->hi_netname);
1170 
1171 		list_insert_tail(&smb_binfo.bi_hlist, hinfo);
1172 		smb_binfo.bi_hcnt++;
1173 	} while (smb_nic_getnext(&ni) == SMB_NIC_SUCCESS);
1174 
1175 	(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1176 	return (0);
1177 }
1178 
1179 /*
1180  * smb_browser_non_master_duties
1181  *
1182  * To advertise its presence, i.e. to publish itself as being available, a
1183  * non-browser server sends a HostAnnouncement browser frame. If the server
1184  * is a member of domain "D", this frame is sent to the NETBIOS unique name
1185  * D(1d) and mailslot "\\MAILSLOT\\BROWSE".
1186  */
1187 static void
1188 smb_browser_non_master_duties(smb_hostinfo_t *hinfo, boolean_t remove)
1189 {
1190 	struct name_entry name;
1191 	struct name_entry *dest;
1192 	addr_entry_t addr;
1193 	char resource_domain[SMB_PI_MAX_DOMAIN];
1194 
1195 	smb_browser_send_HostAnnouncement(hinfo, hinfo->hi_interval,
1196 	    remove, 0, NBT_MB);
1197 	if (smb_getdomainname(resource_domain, SMB_PI_MAX_DOMAIN) != 0)
1198 		return;
1199 
1200 	(void) smb_strupr(resource_domain);
1201 
1202 	smb_init_name_struct((unsigned char *)resource_domain, NBT_MB,
1203 	    0, 0, 0, 0, 0, &name);
1204 
1205 	if ((dest = smb_name_find_name(&name))) {
1206 		addr = dest->addr_list;
1207 		addr.forw = addr.back = &addr;
1208 		smb_name_unlock_name(dest);
1209 		smb_browser_send_HostAnnouncement(hinfo, hinfo->hi_interval,
1210 		    remove, &addr, NBT_MB);
1211 	} else {
1212 		smb_init_name_struct((unsigned char *)resource_domain,
1213 		    NBT_DMB, 0, 0, 0, 0, 0, &name);
1214 		if ((dest = smb_name_find_name(&name))) {
1215 			addr = dest->addr_list;
1216 			addr.forw = addr.back = &addr;
1217 			smb_name_unlock_name(dest);
1218 			smb_browser_send_HostAnnouncement(hinfo,
1219 			    remove, hinfo->hi_interval, &addr, NBT_DMB);
1220 		}
1221 	}
1222 
1223 	/*
1224 	 * One Minute announcements for first five
1225 	 * minutes, one minute longer each round
1226 	 * until 12 minutes and every 12 minutes
1227 	 * thereafter.
1228 	 */
1229 	if (--hinfo->hi_reps == 0) {
1230 		if (hinfo->hi_interval < 12)
1231 			hinfo->hi_interval++;
1232 
1233 		hinfo->hi_reps = 1;
1234 	}
1235 
1236 	hinfo->hi_nextannouce = hinfo->hi_interval;
1237 }
1238 
1239 
1240 /*
1241  * SMB NetBIOS Browser Service
1242  */
1243 /*ARGSUSED*/
1244 void *
1245 smb_browser_service(void *arg)
1246 {
1247 	smb_hostinfo_t *hinfo;
1248 
1249 	smb_browser_infoinit();
1250 	smb_browser_config();
1251 
1252 	smb_netbios_event(NETBIOS_EVENT_BROWSER_START);
1253 
1254 restart:
1255 	do {
1256 		(void) rw_rdlock(&smb_binfo.bi_hlist_rwl);
1257 		hinfo = list_head(&smb_binfo.bi_hlist);
1258 
1259 		while (hinfo) {
1260 			if (--hinfo->hi_nextannouce > 0 ||
1261 			    hinfo->hi_nic.nic_bcast == 0) {
1262 				hinfo = list_next(&smb_binfo.bi_hlist, hinfo);
1263 				continue;
1264 			}
1265 
1266 			smb_browser_non_master_duties(hinfo, B_FALSE);
1267 
1268 			/* Check to see whether reconfig is needed */
1269 			(void) mutex_lock(&smb_binfo.bi_mtx);
1270 			if (smb_binfo.bi_changed) {
1271 				smb_binfo.bi_changed = B_FALSE;
1272 				(void) mutex_unlock(&smb_binfo.bi_mtx);
1273 				(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1274 				smb_browser_config();
1275 				goto restart;
1276 			}
1277 			(void) mutex_unlock(&smb_binfo.bi_mtx);
1278 
1279 			hinfo = list_next(&smb_binfo.bi_hlist, hinfo);
1280 		}
1281 
1282 		(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1283 		smb_netbios_sleep(SECSPERMIN);	/* 1 minute */
1284 	} while (smb_netbios_running());
1285 
1286 	smb_browser_infoterm();
1287 	smb_netbios_event(NETBIOS_EVENT_BROWSER_STOP);
1288 	return (0);
1289 }
1290 
1291 /*
1292  * smb_browser_netlogon
1293  *
1294  * Sends SAMLOGON/NETLOGON request for all host/ips, except
1295  * aliases, to find a domain controller.
1296  *
1297  * The dc argument will be set if a DC is found.
1298  */
1299 boolean_t
1300 smb_browser_netlogon(char *domain, char *dc, uint32_t dc_len)
1301 {
1302 	smb_hostinfo_t *hinfo;
1303 	boolean_t found = B_FALSE;
1304 	timestruc_t to;
1305 	int err;
1306 
1307 	(void) rw_rdlock(&smb_binfo.bi_hlist_rwl);
1308 	hinfo = list_head(&smb_binfo.bi_hlist);
1309 	while (hinfo) {
1310 		if ((hinfo->hi_nic.nic_smbflags & SMB_NICF_ALIAS) == 0)
1311 			smb_netlogon_request(&hinfo->hi_netname, domain);
1312 		hinfo = list_next(&smb_binfo.bi_hlist, hinfo);
1313 	}
1314 	(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1315 
1316 	bzero(dc, dc_len);
1317 	to.tv_sec = 30;
1318 	to.tv_nsec = 0;
1319 	(void) mutex_lock(&ntdomain_mtx);
1320 	while (ntdomain_info.n_ipaddr == 0) {
1321 		err = cond_reltimedwait(&ntdomain_cv, &ntdomain_mtx, &to);
1322 		if (err == ETIME)
1323 			break;
1324 	}
1325 
1326 	if (ntdomain_info.n_ipaddr != 0) {
1327 		(void) strlcpy(dc, ntdomain_info.n_name, dc_len);
1328 		found = B_TRUE;
1329 	}
1330 	(void) mutex_unlock(&ntdomain_mtx);
1331 
1332 	return (found);
1333 }
1334 
1335 /*
1336  * smb_browser_infoinit
1337  *
1338  * This function is called only once when the browser starts
1339  * to initialize the global smb_binfo structure.
1340  */
1341 static void
1342 smb_browser_infoinit(void)
1343 {
1344 	(void) mutex_lock(&ntdomain_mtx);
1345 	bzero(&ntdomain_info, sizeof (ntdomain_info));
1346 	(void) mutex_unlock(&ntdomain_mtx);
1347 
1348 	(void) rw_wrlock(&smb_binfo.bi_hlist_rwl);
1349 	list_create(&smb_binfo.bi_hlist, sizeof (smb_hostinfo_t),
1350 	    offsetof(smb_hostinfo_t, hi_lnd));
1351 	smb_binfo.bi_hcnt = 0;
1352 	(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1353 
1354 	(void) mutex_lock(&smb_binfo.bi_mtx);
1355 	smb_binfo.bi_changed = B_FALSE;
1356 	(void) mutex_unlock(&smb_binfo.bi_mtx);
1357 }
1358 
1359 /*
1360  * smb_browser_infoterm
1361  *
1362  * This function is called only once when the browser stops
1363  * to destroy the smb_binfo structure.
1364  */
1365 static void
1366 smb_browser_infoterm(void)
1367 {
1368 	(void) rw_wrlock(&smb_binfo.bi_hlist_rwl);
1369 	smb_browser_infofree();
1370 	list_destroy(&smb_binfo.bi_hlist);
1371 	(void) rw_unlock(&smb_binfo.bi_hlist_rwl);
1372 }
1373 
1374 /*
1375  * smb_browser_infofree
1376  *
1377  * Removes all the hostinfo structures from the browser list
1378  * and frees the allocated memory
1379  */
1380 static void
1381 smb_browser_infofree(void)
1382 {
1383 	smb_hostinfo_t *hinfo;
1384 
1385 	while ((hinfo = list_head(&smb_binfo.bi_hlist)) != NULL) {
1386 		list_remove(&smb_binfo.bi_hlist, hinfo);
1387 		free(hinfo);
1388 	}
1389 
1390 	smb_binfo.bi_hcnt = 0;
1391 }
1392