1b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
2b89a8333Snatalie li - Sun Microsystems - Irvine United States * CDDL HEADER START
3b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4b89a8333Snatalie li - Sun Microsystems - Irvine United States * The contents of this file are subject to the terms of the
5b89a8333Snatalie li - Sun Microsystems - Irvine United States * Common Development and Distribution License (the "License").
6b89a8333Snatalie li - Sun Microsystems - Irvine United States * You may not use this file except in compliance with the License.
7b89a8333Snatalie li - Sun Microsystems - Irvine United States *
8b89a8333Snatalie li - Sun Microsystems - Irvine United States * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9b89a8333Snatalie li - Sun Microsystems - Irvine United States * or http://www.opensolaris.org/os/licensing.
10b89a8333Snatalie li - Sun Microsystems - Irvine United States * See the License for the specific language governing permissions
11b89a8333Snatalie li - Sun Microsystems - Irvine United States * and limitations under the License.
12b89a8333Snatalie li - Sun Microsystems - Irvine United States *
13b89a8333Snatalie li - Sun Microsystems - Irvine United States * When distributing Covered Code, include this CDDL HEADER in each
14b89a8333Snatalie li - Sun Microsystems - Irvine United States * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15b89a8333Snatalie li - Sun Microsystems - Irvine United States * If applicable, add the following below this CDDL HEADER, with the
16b89a8333Snatalie li - Sun Microsystems - Irvine United States * fields enclosed by brackets "[]" replaced with your own identifying
17b89a8333Snatalie li - Sun Microsystems - Irvine United States * information: Portions Copyright [yyyy] [name of copyright owner]
18b89a8333Snatalie li - Sun Microsystems - Irvine United States *
19b89a8333Snatalie li - Sun Microsystems - Irvine United States * CDDL HEADER END
20b89a8333Snatalie li - Sun Microsystems - Irvine United States */
21b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
221fdeec65Sjoyce mcintosh * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23b89a8333Snatalie li - Sun Microsystems - Irvine United States */
24b89a8333Snatalie li - Sun Microsystems - Irvine United States
25b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <unistd.h>
26b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <strings.h>
27b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <pwd.h>
28b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <grp.h>
29b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <time.h>
30b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <syslog.h>
31b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <assert.h>
3229bd2886SAlan Wright #include <synch.h>
33b89a8333Snatalie li - Sun Microsystems - Irvine United States
34b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/libsmb.h>
35b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/libmlsvc.h>
36b89a8333Snatalie li - Sun Microsystems - Irvine United States
37b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/smbinfo.h>
38b89a8333Snatalie li - Sun Microsystems - Irvine United States #include <smbsrv/smb_token.h>
398d7e4166Sjose borrego #include <lsalib.h>
40b89a8333Snatalie li - Sun Microsystems - Irvine United States
4129bd2886SAlan Wright static smb_account_t smb_guest;
4229bd2886SAlan Wright static smb_account_t smb_domusers;
4329bd2886SAlan Wright static rwlock_t smb_logoninit_rwl;
4429bd2886SAlan Wright
459fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
46b89a8333Snatalie li - Sun Microsystems - Irvine United States
479fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States extern void smb_logon_domain(smb_logon_t *, smb_token_t *);
489fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void smb_logon_local(smb_logon_t *, smb_token_t *);
499fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void smb_logon_guest(smb_logon_t *, smb_token_t *);
509fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void smb_logon_anon(smb_logon_t *, smb_token_t *);
519fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
529fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
5329bd2886SAlan Wright smb_passwd_t *);
5429bd2886SAlan Wright
557f667e74Sjose borrego static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
569fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
577f667e74Sjose borrego static uint32_t smb_token_setup_anon(smb_token_t *token);
58b89a8333Snatalie li - Sun Microsystems - Irvine United States
597f667e74Sjose borrego static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
607f667e74Sjose borrego static uint32_t smb_token_setup_wingrps(smb_token_t *);
617f667e74Sjose borrego static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
62b89a8333Snatalie li - Sun Microsystems - Irvine United States
6329bd2886SAlan Wright static void smb_guest_account(char *, size_t);
6429bd2886SAlan Wright
65b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Consolidation private function from Network Repository */
66b89a8333Snatalie li - Sun Microsystems - Irvine United States extern int _getgroupsbymember(const char *, gid_t[], int, int);
67b89a8333Snatalie li - Sun Microsystems - Irvine United States
68b89a8333Snatalie li - Sun Microsystems - Irvine United States static idmap_stat
smb_token_idmap(smb_token_t * token,smb_idmap_batch_t * sib)69b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
70b89a8333Snatalie li - Sun Microsystems - Irvine United States {
71b89a8333Snatalie li - Sun Microsystems - Irvine United States idmap_stat stat;
72b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_t *sim;
73b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_id_t *id;
74b89a8333Snatalie li - Sun Microsystems - Irvine United States int i;
75b89a8333Snatalie li - Sun Microsystems - Irvine United States
76b89a8333Snatalie li - Sun Microsystems - Irvine United States if (!token || !sib)
77b89a8333Snatalie li - Sun Microsystems - Irvine United States return (IDMAP_ERR_ARG);
78b89a8333Snatalie li - Sun Microsystems - Irvine United States
79b89a8333Snatalie li - Sun Microsystems - Irvine United States sim = sib->sib_maps;
80b89a8333Snatalie li - Sun Microsystems - Irvine United States
81b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token->tkn_flags & SMB_ATF_ANON) {
827f667e74Sjose borrego token->tkn_user.i_id = UID_NOBODY;
837f667e74Sjose borrego token->tkn_owner.i_id = UID_NOBODY;
84b89a8333Snatalie li - Sun Microsystems - Irvine United States } else {
85b89a8333Snatalie li - Sun Microsystems - Irvine United States /* User SID */
867f667e74Sjose borrego id = &token->tkn_user;
87b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
88b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
897f667e74Sjose borrego id->i_sid, SMB_IDMAP_USER);
90b89a8333Snatalie li - Sun Microsystems - Irvine United States
91b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
92b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
93b89a8333Snatalie li - Sun Microsystems - Irvine United States
94b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Owner SID */
957f667e74Sjose borrego id = &token->tkn_owner;
96b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
97b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
987f667e74Sjose borrego id->i_sid, SMB_IDMAP_USER);
99b89a8333Snatalie li - Sun Microsystems - Irvine United States
100b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
101b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
102b89a8333Snatalie li - Sun Microsystems - Irvine United States }
103b89a8333Snatalie li - Sun Microsystems - Irvine United States
104b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Primary Group SID */
1057f667e74Sjose borrego id = &token->tkn_primary_grp;
106b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
1077f667e74Sjose borrego stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
1087f667e74Sjose borrego SMB_IDMAP_GROUP);
109b89a8333Snatalie li - Sun Microsystems - Irvine United States
110b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
111b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
112b89a8333Snatalie li - Sun Microsystems - Irvine United States
113b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Other Windows Group SIDs */
1147f667e74Sjose borrego for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
1157f667e74Sjose borrego id = &token->tkn_win_grps.i_ids[i];
116b89a8333Snatalie li - Sun Microsystems - Irvine United States sim->sim_id = &id->i_id;
117b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
1187f667e74Sjose borrego id->i_sid, SMB_IDMAP_GROUP);
119b89a8333Snatalie li - Sun Microsystems - Irvine United States
120b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
121b89a8333Snatalie li - Sun Microsystems - Irvine United States break;
122b89a8333Snatalie li - Sun Microsystems - Irvine United States }
123b89a8333Snatalie li - Sun Microsystems - Irvine United States
124b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat);
125b89a8333Snatalie li - Sun Microsystems - Irvine United States }
126b89a8333Snatalie li - Sun Microsystems - Irvine United States
127b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
128b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_sids2ids
129b89a8333Snatalie li - Sun Microsystems - Irvine United States *
130b89a8333Snatalie li - Sun Microsystems - Irvine United States * This will map all the SIDs of the access token to UIDs/GIDs.
131b89a8333Snatalie li - Sun Microsystems - Irvine United States *
132b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns 0 upon success. Otherwise, returns -1.
133b89a8333Snatalie li - Sun Microsystems - Irvine United States */
134b89a8333Snatalie li - Sun Microsystems - Irvine United States static int
smb_token_sids2ids(smb_token_t * token)135b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_sids2ids(smb_token_t *token)
136b89a8333Snatalie li - Sun Microsystems - Irvine United States {
137b89a8333Snatalie li - Sun Microsystems - Irvine United States idmap_stat stat;
1381fdeec65Sjoyce mcintosh int nmaps;
139b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_t sib;
140b89a8333Snatalie li - Sun Microsystems - Irvine United States
141b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
142b89a8333Snatalie li - Sun Microsystems - Irvine United States * Number of idmap lookups: user SID, owner SID, primary group SID,
1437f667e74Sjose borrego * and all Windows group SIDs. Skip user/owner SID for Anonymous.
144b89a8333Snatalie li - Sun Microsystems - Irvine United States */
145b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token->tkn_flags & SMB_ATF_ANON)
1467f667e74Sjose borrego nmaps = token->tkn_win_grps.i_cnt + 1;
147b89a8333Snatalie li - Sun Microsystems - Irvine United States else
1487f667e74Sjose borrego nmaps = token->tkn_win_grps.i_cnt + 3;
149b89a8333Snatalie li - Sun Microsystems - Irvine United States
150b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
151b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS)
152b89a8333Snatalie li - Sun Microsystems - Irvine United States return (-1);
153b89a8333Snatalie li - Sun Microsystems - Irvine United States
154b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_token_idmap(token, &sib);
155b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS) {
156b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
157b89a8333Snatalie li - Sun Microsystems - Irvine United States return (-1);
158b89a8333Snatalie li - Sun Microsystems - Irvine United States }
159b89a8333Snatalie li - Sun Microsystems - Irvine United States
160b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getmappings(&sib);
161b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
1629fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_idmap_check("smb_idmap_batch_getmappings", stat);
163b89a8333Snatalie li - Sun Microsystems - Irvine United States
164b89a8333Snatalie li - Sun Microsystems - Irvine United States return (stat == IDMAP_SUCCESS ? 0 : -1);
165b89a8333Snatalie li - Sun Microsystems - Irvine United States }
166b89a8333Snatalie li - Sun Microsystems - Irvine United States
167b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
168b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_create_pxgrps
169b89a8333Snatalie li - Sun Microsystems - Irvine United States *
170b89a8333Snatalie li - Sun Microsystems - Irvine United States * Setup the POSIX group membership of the access token if the given UID is
171b89a8333Snatalie li - Sun Microsystems - Irvine United States * a POSIX UID (non-ephemeral). Both the user's primary group and
172b89a8333Snatalie li - Sun Microsystems - Irvine United States * supplementary groups will be added to the POSIX group array of the access
173b89a8333Snatalie li - Sun Microsystems - Irvine United States * token.
174b89a8333Snatalie li - Sun Microsystems - Irvine United States */
175b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_posix_grps_t *
smb_token_create_pxgrps(uid_t uid)176b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_create_pxgrps(uid_t uid)
177b89a8333Snatalie li - Sun Microsystems - Irvine United States {
178b89a8333Snatalie li - Sun Microsystems - Irvine United States struct passwd *pwd;
179b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_posix_grps_t *pgrps;
180b89a8333Snatalie li - Sun Microsystems - Irvine United States int ngroups_max, num;
181b89a8333Snatalie li - Sun Microsystems - Irvine United States gid_t *gids;
182b89a8333Snatalie li - Sun Microsystems - Irvine United States
183b89a8333Snatalie li - Sun Microsystems - Irvine United States if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
184b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
185b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
186b89a8333Snatalie li - Sun Microsystems - Irvine United States }
187b89a8333Snatalie li - Sun Microsystems - Irvine United States
188b89a8333Snatalie li - Sun Microsystems - Irvine United States pwd = getpwuid(uid);
189b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pwd == NULL) {
190b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps = malloc(sizeof (smb_posix_grps_t));
191b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pgrps == NULL)
192b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
193b89a8333Snatalie li - Sun Microsystems - Irvine United States
194b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_ngrps = 0;
195b89a8333Snatalie li - Sun Microsystems - Irvine United States return (pgrps);
196b89a8333Snatalie li - Sun Microsystems - Irvine United States }
197b89a8333Snatalie li - Sun Microsystems - Irvine United States
198b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pwd->pw_name == NULL) {
199b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps = malloc(sizeof (smb_posix_grps_t));
200b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pgrps == NULL)
201b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
202b89a8333Snatalie li - Sun Microsystems - Irvine United States
203b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_ngrps = 1;
204b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_grps[0] = pwd->pw_gid;
205b89a8333Snatalie li - Sun Microsystems - Irvine United States return (pgrps);
206b89a8333Snatalie li - Sun Microsystems - Irvine United States }
207b89a8333Snatalie li - Sun Microsystems - Irvine United States
208b89a8333Snatalie li - Sun Microsystems - Irvine United States gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
209b89a8333Snatalie li - Sun Microsystems - Irvine United States if (gids == NULL) {
210b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
211b89a8333Snatalie li - Sun Microsystems - Irvine United States }
212b89a8333Snatalie li - Sun Microsystems - Irvine United States bzero(gids, ngroups_max * sizeof (gid_t));
213b89a8333Snatalie li - Sun Microsystems - Irvine United States
214b89a8333Snatalie li - Sun Microsystems - Irvine United States gids[0] = pwd->pw_gid;
215b89a8333Snatalie li - Sun Microsystems - Irvine United States
216b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
217b89a8333Snatalie li - Sun Microsystems - Irvine United States * Setup the groups starting at index 1 (the last arg)
218b89a8333Snatalie li - Sun Microsystems - Irvine United States * of gids array.
219b89a8333Snatalie li - Sun Microsystems - Irvine United States */
220b89a8333Snatalie li - Sun Microsystems - Irvine United States num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
221b89a8333Snatalie li - Sun Microsystems - Irvine United States
222b89a8333Snatalie li - Sun Microsystems - Irvine United States if (num == -1) {
223b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_ERR, "smb_logon: unable "
224b89a8333Snatalie li - Sun Microsystems - Irvine United States "to get user's supplementary groups");
225b89a8333Snatalie li - Sun Microsystems - Irvine United States num = 1;
226b89a8333Snatalie li - Sun Microsystems - Irvine United States }
227b89a8333Snatalie li - Sun Microsystems - Irvine United States
228b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
229b89a8333Snatalie li - Sun Microsystems - Irvine United States if (pgrps) {
230b89a8333Snatalie li - Sun Microsystems - Irvine United States pgrps->pg_ngrps = num;
231b89a8333Snatalie li - Sun Microsystems - Irvine United States bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
232b89a8333Snatalie li - Sun Microsystems - Irvine United States }
233b89a8333Snatalie li - Sun Microsystems - Irvine United States
234b89a8333Snatalie li - Sun Microsystems - Irvine United States free(gids);
235b89a8333Snatalie li - Sun Microsystems - Irvine United States return (pgrps);
236b89a8333Snatalie li - Sun Microsystems - Irvine United States }
237b89a8333Snatalie li - Sun Microsystems - Irvine United States
238b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
239b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_destroy
240b89a8333Snatalie li - Sun Microsystems - Irvine United States *
241b89a8333Snatalie li - Sun Microsystems - Irvine United States * Release all of the memory associated with a token structure. Ensure
242b89a8333Snatalie li - Sun Microsystems - Irvine United States * that the token has been unlinked before calling.
243b89a8333Snatalie li - Sun Microsystems - Irvine United States */
244b89a8333Snatalie li - Sun Microsystems - Irvine United States void
smb_token_destroy(smb_token_t * token)245b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_destroy(smb_token_t *token)
246b89a8333Snatalie li - Sun Microsystems - Irvine United States {
2477f667e74Sjose borrego if (token != NULL) {
2487f667e74Sjose borrego smb_sid_free(token->tkn_user.i_sid);
2497f667e74Sjose borrego smb_sid_free(token->tkn_owner.i_sid);
2507f667e74Sjose borrego smb_sid_free(token->tkn_primary_grp.i_sid);
2517f667e74Sjose borrego smb_ids_free(&token->tkn_win_grps);
252b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_free(token->tkn_privileges);
253b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_posix_grps);
254b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_account_name);
255b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_domain_name);
256b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token->tkn_session_key);
2579fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States bzero(token, sizeof (smb_token_t));
258b89a8333Snatalie li - Sun Microsystems - Irvine United States free(token);
259b89a8333Snatalie li - Sun Microsystems - Irvine United States }
260b89a8333Snatalie li - Sun Microsystems - Irvine United States }
261b89a8333Snatalie li - Sun Microsystems - Irvine United States
262b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
263b89a8333Snatalie li - Sun Microsystems - Irvine United States * Token owner should be set to local Administrators group
264b89a8333Snatalie li - Sun Microsystems - Irvine United States * in two cases:
265b89a8333Snatalie li - Sun Microsystems - Irvine United States * 1. The logged on user is a member of Domain Admins group
266b89a8333Snatalie li - Sun Microsystems - Irvine United States * 2. he/she is a member of local Administrators group
267b89a8333Snatalie li - Sun Microsystems - Irvine United States */
2687f667e74Sjose borrego static void
smb_token_set_owner(smb_token_t * token)2697f667e74Sjose borrego smb_token_set_owner(smb_token_t *token)
270b89a8333Snatalie li - Sun Microsystems - Irvine United States {
271b89a8333Snatalie li - Sun Microsystems - Irvine United States #ifdef SMB_SUPPORT_GROUP_OWNER
272b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_sid_t *owner_sid;
273b89a8333Snatalie li - Sun Microsystems - Irvine United States
2747f667e74Sjose borrego if (token->tkn_flags & SMB_ATF_ADMIN) {
2757f667e74Sjose borrego owner_sid = smb_wka_get_sid("Administrators");
2767f667e74Sjose borrego assert(owner_sid);
277b89a8333Snatalie li - Sun Microsystems - Irvine United States } else {
2787f667e74Sjose borrego owner_sid = token->tkn_user->i_sid;
279b89a8333Snatalie li - Sun Microsystems - Irvine United States }
280b89a8333Snatalie li - Sun Microsystems - Irvine United States
2817f667e74Sjose borrego token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
282b89a8333Snatalie li - Sun Microsystems - Irvine United States #endif
2837f667e74Sjose borrego token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
284b89a8333Snatalie li - Sun Microsystems - Irvine United States }
285b89a8333Snatalie li - Sun Microsystems - Irvine United States
286b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_privset_t *
smb_token_create_privs(smb_token_t * token)2877f667e74Sjose borrego smb_token_create_privs(smb_token_t *token)
288b89a8333Snatalie li - Sun Microsystems - Irvine United States {
289b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_t *privs;
290b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_giter_t gi;
291b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_group_t grp;
292b89a8333Snatalie li - Sun Microsystems - Irvine United States int rc;
293b89a8333Snatalie li - Sun Microsystems - Irvine United States
294b89a8333Snatalie li - Sun Microsystems - Irvine United States privs = smb_privset_new();
295b89a8333Snatalie li - Sun Microsystems - Irvine United States if (privs == NULL)
296b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
297b89a8333Snatalie li - Sun Microsystems - Irvine United States
298b89a8333Snatalie li - Sun Microsystems - Irvine United States if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
299b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_free(privs);
300b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
301b89a8333Snatalie li - Sun Microsystems - Irvine United States }
302b89a8333Snatalie li - Sun Microsystems - Irvine United States
303b89a8333Snatalie li - Sun Microsystems - Irvine United States while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
3047f667e74Sjose borrego if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
305b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_merge(privs, grp.sg_privs);
306b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_lgrp_free(&grp);
307b89a8333Snatalie li - Sun Microsystems - Irvine United States }
308b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_lgrp_iterclose(&gi);
309b89a8333Snatalie li - Sun Microsystems - Irvine United States
3107f667e74Sjose borrego if (token->tkn_flags & SMB_ATF_ADMIN) {
311*53d00481SYuri Pankov char admgrp[] = "Administrators";
312*53d00481SYuri Pankov
313*53d00481SYuri Pankov rc = smb_lgrp_getbyname(admgrp, &grp);
314b89a8333Snatalie li - Sun Microsystems - Irvine United States if (rc == SMB_LGRP_SUCCESS) {
315b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_merge(privs, grp.sg_privs);
316b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_lgrp_free(&grp);
317b89a8333Snatalie li - Sun Microsystems - Irvine United States }
318b89a8333Snatalie li - Sun Microsystems - Irvine United States
319b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
320b89a8333Snatalie li - Sun Microsystems - Irvine United States * This privilege is required to view/edit SACL
321b89a8333Snatalie li - Sun Microsystems - Irvine United States */
322b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_enable(privs, SE_SECURITY_LUID);
323b89a8333Snatalie li - Sun Microsystems - Irvine United States }
324b89a8333Snatalie li - Sun Microsystems - Irvine United States
325b89a8333Snatalie li - Sun Microsystems - Irvine United States return (privs);
326b89a8333Snatalie li - Sun Microsystems - Irvine United States }
327b89a8333Snatalie li - Sun Microsystems - Irvine United States
328b89a8333Snatalie li - Sun Microsystems - Irvine United States static void
smb_token_set_flags(smb_token_t * token)3297f667e74Sjose borrego smb_token_set_flags(smb_token_t *token)
330b89a8333Snatalie li - Sun Microsystems - Irvine United States {
3317f667e74Sjose borrego if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
332b89a8333Snatalie li - Sun Microsystems - Irvine United States token->tkn_flags |= SMB_ATF_ADMIN;
333b89a8333Snatalie li - Sun Microsystems - Irvine United States
3347f667e74Sjose borrego if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
335b89a8333Snatalie li - Sun Microsystems - Irvine United States token->tkn_flags |= SMB_ATF_POWERUSER;
336b89a8333Snatalie li - Sun Microsystems - Irvine United States
3377f667e74Sjose borrego if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
338b89a8333Snatalie li - Sun Microsystems - Irvine United States token->tkn_flags |= SMB_ATF_BACKUPOP;
339b89a8333Snatalie li - Sun Microsystems - Irvine United States }
340b89a8333Snatalie li - Sun Microsystems - Irvine United States
341b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
3427f667e74Sjose borrego * Common token setup for both local and domain users.
3437f667e74Sjose borrego * This function must be called after the initial setup
3447f667e74Sjose borrego * has been done.
345b89a8333Snatalie li - Sun Microsystems - Irvine United States *
3467f667e74Sjose borrego * Note that the order of calls in this function are important.
347b89a8333Snatalie li - Sun Microsystems - Irvine United States */
3489fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static boolean_t
smb_token_setup_common(smb_token_t * token)3497f667e74Sjose borrego smb_token_setup_common(smb_token_t *token)
350b89a8333Snatalie li - Sun Microsystems - Irvine United States {
3517f667e74Sjose borrego smb_token_set_flags(token);
352b89a8333Snatalie li - Sun Microsystems - Irvine United States
3537f667e74Sjose borrego smb_token_set_owner(token);
3547f667e74Sjose borrego if (token->tkn_owner.i_sid == NULL)
3559fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (B_FALSE);
356b89a8333Snatalie li - Sun Microsystems - Irvine United States
357b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Privileges */
3587f667e74Sjose borrego token->tkn_privileges = smb_token_create_privs(token);
3597f667e74Sjose borrego if (token->tkn_privileges == NULL)
3609fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (B_FALSE);
361b89a8333Snatalie li - Sun Microsystems - Irvine United States
362b89a8333Snatalie li - Sun Microsystems - Irvine United States if (smb_token_sids2ids(token) != 0) {
363b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_ERR, "%s\\%s: idmap failed",
3647f667e74Sjose borrego token->tkn_domain_name, token->tkn_account_name);
3659fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (B_FALSE);
366b89a8333Snatalie li - Sun Microsystems - Irvine United States }
367b89a8333Snatalie li - Sun Microsystems - Irvine United States
368b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Solaris Groups */
3697f667e74Sjose borrego token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
370b89a8333Snatalie li - Sun Microsystems - Irvine United States
3719fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return (smb_token_valid(token));
372b89a8333Snatalie li - Sun Microsystems - Irvine United States }
373b89a8333Snatalie li - Sun Microsystems - Irvine United States
37429bd2886SAlan Wright uint32_t
smb_logon_init(void)37529bd2886SAlan Wright smb_logon_init(void)
37629bd2886SAlan Wright {
37729bd2886SAlan Wright uint32_t status;
37829bd2886SAlan Wright
37929bd2886SAlan Wright (void) rw_wrlock(&smb_logoninit_rwl);
38029bd2886SAlan Wright status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
38129bd2886SAlan Wright if (status != NT_STATUS_SUCCESS) {
38229bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
38329bd2886SAlan Wright return (status);
38429bd2886SAlan Wright }
38529bd2886SAlan Wright
38629bd2886SAlan Wright status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
38729bd2886SAlan Wright &smb_domusers);
38829bd2886SAlan Wright if (status != NT_STATUS_SUCCESS) {
38929bd2886SAlan Wright smb_account_free(&smb_guest);
39029bd2886SAlan Wright bzero(&smb_guest, sizeof (smb_account_t));
39129bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
39229bd2886SAlan Wright return (status);
39329bd2886SAlan Wright }
39429bd2886SAlan Wright
39529bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
39629bd2886SAlan Wright return (status);
39729bd2886SAlan Wright }
39829bd2886SAlan Wright
39929bd2886SAlan Wright void
smb_logon_fini(void)40029bd2886SAlan Wright smb_logon_fini(void)
40129bd2886SAlan Wright {
40229bd2886SAlan Wright (void) rw_wrlock(&smb_logoninit_rwl);
40329bd2886SAlan Wright smb_account_free(&smb_guest);
40429bd2886SAlan Wright smb_account_free(&smb_domusers);
40529bd2886SAlan Wright bzero(&smb_guest, sizeof (smb_account_t));
40629bd2886SAlan Wright bzero(&smb_domusers, sizeof (smb_account_t));
40729bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
40829bd2886SAlan Wright }
40929bd2886SAlan Wright
410b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
4119fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Perform user authentication.
412b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4139fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * The dispatched functions must only update the user_info status if they
4149fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * attempt to authenticate the user.
415b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4169fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * On success, a pointer to a new access token is returned.
417b89a8333Snatalie li - Sun Microsystems - Irvine United States */
418b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_t *
smb_logon(smb_logon_t * user_info)4199fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon(smb_logon_t *user_info)
420b89a8333Snatalie li - Sun Microsystems - Irvine United States {
4219fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static smb_logonop_t ops[] = {
4229fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_anon,
4239fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_local,
4249fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_domain,
4259fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_guest
4269fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States };
427b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_t *token = NULL;
4289fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_domain_t domain;
4299fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States int n_op = (sizeof (ops) / sizeof (ops[0]));
4309fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States int i;
431b89a8333Snatalie li - Sun Microsystems - Irvine United States
4329fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_secmode = smb_config_get_secmode();
4339fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = NT_STATUS_NO_SUCH_USER;
4349fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
4359fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
4369fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain_type = domain.di_type;
4379fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States else
4389fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain_type = SMB_DOMAIN_NULL;
4399fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
4409fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
4419fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States syslog(LOG_ERR, "logon[%s\\%s]: %m",
4429fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_domain, user_info->lg_e_username);
443b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
4447f667e74Sjose borrego }
445b89a8333Snatalie li - Sun Microsystems - Irvine United States
4469fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States for (i = 0; i < n_op; ++i) {
4479fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States (*ops[i])(user_info, token);
4489fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
4499fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_status == NT_STATUS_SUCCESS)
4509fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States break;
4517f667e74Sjose borrego }
45229bd2886SAlan Wright
4539fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_status == NT_STATUS_SUCCESS) {
4549fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (smb_token_setup_common(token))
455b89a8333Snatalie li - Sun Microsystems - Irvine United States return (token);
456b89a8333Snatalie li - Sun Microsystems - Irvine United States }
457b89a8333Snatalie li - Sun Microsystems - Irvine United States
4587f667e74Sjose borrego smb_token_destroy(token);
4597f667e74Sjose borrego return (NULL);
4607f667e74Sjose borrego }
4617f667e74Sjose borrego
462b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
4639fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If the user has an entry in the local database, attempt local authentication.
464b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4659fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * In domain mode, we try to exclude domain accounts, which we do by only
4669fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * accepting local or null (blank) domain names here. Some clients (Mac OS)
4679fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * don't always send the domain name.
468b89a8333Snatalie li - Sun Microsystems - Irvine United States *
4699fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If we are not going to attempt authentication, this function must return
4709fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * without updating the status.
471b89a8333Snatalie li - Sun Microsystems - Irvine United States */
4729fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void
smb_logon_local(smb_logon_t * user_info,smb_token_t * token)4739fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
474b89a8333Snatalie li - Sun Microsystems - Irvine United States {
47529bd2886SAlan Wright char guest[SMB_USERNAME_MAXLEN];
476b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_passwd_t smbpw;
477b89a8333Snatalie li - Sun Microsystems - Irvine United States uint32_t status;
47829bd2886SAlan Wright boolean_t isguest;
479b89a8333Snatalie li - Sun Microsystems - Irvine United States
4809fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
4819fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
4829fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States (user_info->lg_domain_type != SMB_DOMAIN_NULL))
4839fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return;
484b89a8333Snatalie li - Sun Microsystems - Irvine United States }
485b89a8333Snatalie li - Sun Microsystems - Irvine United States
48629bd2886SAlan Wright smb_guest_account(guest, SMB_USERNAME_MAXLEN);
4879fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States isguest = (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0);
488b89a8333Snatalie li - Sun Microsystems - Irvine United States
4899fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States status = smb_token_auth_local(user_info, token, &smbpw);
49029bd2886SAlan Wright if (status == NT_STATUS_SUCCESS) {
49129bd2886SAlan Wright if (isguest)
4929fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States status = smb_token_setup_guest(user_info, token);
49329bd2886SAlan Wright else
4947f667e74Sjose borrego status = smb_token_setup_local(&smbpw, token);
49529bd2886SAlan Wright }
49629bd2886SAlan Wright
4979fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = status;
49829bd2886SAlan Wright }
49929bd2886SAlan Wright
50029bd2886SAlan Wright /*
5019fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Guest authentication. This may be a local guest account or the guest
5029fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * account may be mapped to a local account. These accounts are regular
5039fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * accounts with normal password protection.
5049fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States *
5059fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Only proceed with a guest logon if previous logon options have resulted
5069fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * in NO_SUCH_USER.
5079fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States *
5089fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If we are not going to attempt authentication, this function must return
5099fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * without updating the status.
51029bd2886SAlan Wright */
5119fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void
smb_logon_guest(smb_logon_t * user_info,smb_token_t * token)5129fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
51329bd2886SAlan Wright {
51429bd2886SAlan Wright char guest[SMB_USERNAME_MAXLEN];
51529bd2886SAlan Wright smb_passwd_t smbpw;
51629bd2886SAlan Wright char *temp;
51729bd2886SAlan Wright uint32_t status;
51829bd2886SAlan Wright
5199fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
5209fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States return;
52129bd2886SAlan Wright
5229fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_guest_account(guest, SMB_USERNAME_MAXLEN);
5239fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States temp = user_info->lg_e_username;
5249fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_username = guest;
5259fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
5269fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States status = smb_token_auth_local(user_info, token, &smbpw);
52729bd2886SAlan Wright if ((status == NT_STATUS_SUCCESS) ||
52829bd2886SAlan Wright (status == NT_STATUS_NO_SUCH_USER)) {
5299fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States status = smb_token_setup_guest(user_info, token);
53029bd2886SAlan Wright }
53129bd2886SAlan Wright
5329fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_username = temp;
5339fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = status;
534b89a8333Snatalie li - Sun Microsystems - Irvine United States }
535b89a8333Snatalie li - Sun Microsystems - Irvine United States
536b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
5379fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * If user_info represents an anonymous user then setup the token.
5389fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Otherwise return without updating the status.
5399fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States */
5409fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States static void
smb_logon_anon(smb_logon_t * user_info,smb_token_t * token)5419fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
5429fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States {
5439fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (user_info->lg_flags & SMB_ATF_ANON)
5449fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_status = smb_token_setup_anon(token);
5459fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States }
5469fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
5479fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /*
5489fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Try both LM hash and NT hashes with user's password(s) to authenticate
5499fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * the user.
550b89a8333Snatalie li - Sun Microsystems - Irvine United States */
551b89a8333Snatalie li - Sun Microsystems - Irvine United States static uint32_t
smb_token_auth_local(smb_logon_t * user_info,smb_token_t * token,smb_passwd_t * smbpw)5529fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
55329bd2886SAlan Wright smb_passwd_t *smbpw)
55429bd2886SAlan Wright {
55529bd2886SAlan Wright boolean_t lm_ok, nt_ok;
55629bd2886SAlan Wright uint32_t status = NT_STATUS_SUCCESS;
55729bd2886SAlan Wright
5589fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
55929bd2886SAlan Wright return (NT_STATUS_NO_SUCH_USER);
56029bd2886SAlan Wright
56129bd2886SAlan Wright if (smbpw->pw_flags & SMB_PWF_DISABLE)
56229bd2886SAlan Wright return (NT_STATUS_ACCOUNT_DISABLED);
56329bd2886SAlan Wright
56429bd2886SAlan Wright nt_ok = lm_ok = B_FALSE;
56529bd2886SAlan Wright if ((smbpw->pw_flags & SMB_PWF_LM) &&
5669fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States (user_info->lg_lm_password.len != 0)) {
56729bd2886SAlan Wright lm_ok = smb_auth_validate_lm(
5689fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_challenge_key.val,
5699fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_challenge_key.len,
57029bd2886SAlan Wright smbpw,
5719fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_lm_password.val,
5729fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_lm_password.len,
5739fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain,
5749fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_username);
57529bd2886SAlan Wright token->tkn_session_key = NULL;
57629bd2886SAlan Wright }
57729bd2886SAlan Wright
5789fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (!lm_ok && (user_info->lg_nt_password.len != 0)) {
57929bd2886SAlan Wright token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ);
58029bd2886SAlan Wright if (token->tkn_session_key == NULL)
58129bd2886SAlan Wright return (NT_STATUS_NO_MEMORY);
58229bd2886SAlan Wright nt_ok = smb_auth_validate_nt(
5839fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_challenge_key.val,
5849fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_challenge_key.len,
58529bd2886SAlan Wright smbpw,
5869fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_nt_password.val,
5879fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_nt_password.len,
5889fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_domain,
5899fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_username,
59029bd2886SAlan Wright (uchar_t *)token->tkn_session_key);
59129bd2886SAlan Wright }
59229bd2886SAlan Wright
59329bd2886SAlan Wright if (!nt_ok && !lm_ok) {
59429bd2886SAlan Wright status = NT_STATUS_WRONG_PASSWORD;
5959fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
5969fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States user_info->lg_e_domain, user_info->lg_e_username,
59729bd2886SAlan Wright xlate_nt_status(status));
59829bd2886SAlan Wright }
59929bd2886SAlan Wright
60029bd2886SAlan Wright return (status);
60129bd2886SAlan Wright }
60229bd2886SAlan Wright
603b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
6047f667e74Sjose borrego * Setup an access token for the specified local user.
605b89a8333Snatalie li - Sun Microsystems - Irvine United States */
606b89a8333Snatalie li - Sun Microsystems - Irvine United States static uint32_t
smb_token_setup_local(smb_passwd_t * smbpw,smb_token_t * token)6077f667e74Sjose borrego smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
608b89a8333Snatalie li - Sun Microsystems - Irvine United States {
609b89a8333Snatalie li - Sun Microsystems - Irvine United States idmap_stat stat;
610b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_t sib;
611b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_t *umap, *gmap;
612b89a8333Snatalie li - Sun Microsystems - Irvine United States struct passwd pw;
613b89a8333Snatalie li - Sun Microsystems - Irvine United States char pwbuf[1024];
614b89a8333Snatalie li - Sun Microsystems - Irvine United States char nbname[NETBIOS_NAME_SZ];
615b89a8333Snatalie li - Sun Microsystems - Irvine United States
616b89a8333Snatalie li - Sun Microsystems - Irvine United States (void) smb_getnetbiosname(nbname, sizeof (nbname));
6177f667e74Sjose borrego token->tkn_account_name = strdup(smbpw->pw_name);
6187f667e74Sjose borrego token->tkn_domain_name = strdup(nbname);
619b89a8333Snatalie li - Sun Microsystems - Irvine United States
6207f667e74Sjose borrego if (token->tkn_account_name == NULL ||
6217f667e74Sjose borrego token->tkn_domain_name == NULL)
622b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_NO_MEMORY);
623b89a8333Snatalie li - Sun Microsystems - Irvine United States
6247f667e74Sjose borrego if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
625b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_NO_SUCH_USER);
626b89a8333Snatalie li - Sun Microsystems - Irvine United States
627b89a8333Snatalie li - Sun Microsystems - Irvine United States /* Get the SID for user's uid & gid */
628b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
6297f667e74Sjose borrego if (stat != IDMAP_SUCCESS)
630b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
631b89a8333Snatalie li - Sun Microsystems - Irvine United States
632b89a8333Snatalie li - Sun Microsystems - Irvine United States umap = &sib.sib_maps[0];
633b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
634b89a8333Snatalie li - Sun Microsystems - Irvine United States SMB_IDMAP_USER);
635b89a8333Snatalie li - Sun Microsystems - Irvine United States
636b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS) {
637b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
638b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
639b89a8333Snatalie li - Sun Microsystems - Irvine United States }
640b89a8333Snatalie li - Sun Microsystems - Irvine United States
641b89a8333Snatalie li - Sun Microsystems - Irvine United States gmap = &sib.sib_maps[1];
642b89a8333Snatalie li - Sun Microsystems - Irvine United States stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
643b89a8333Snatalie li - Sun Microsystems - Irvine United States SMB_IDMAP_GROUP);
644b89a8333Snatalie li - Sun Microsystems - Irvine United States
645b89a8333Snatalie li - Sun Microsystems - Irvine United States if (stat != IDMAP_SUCCESS) {
646b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
647b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
648b89a8333Snatalie li - Sun Microsystems - Irvine United States }
649b89a8333Snatalie li - Sun Microsystems - Irvine United States
6507f667e74Sjose borrego if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
651b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_INTERNAL_ERROR);
652b89a8333Snatalie li - Sun Microsystems - Irvine United States
6537f667e74Sjose borrego token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
6547f667e74Sjose borrego token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
655b89a8333Snatalie li - Sun Microsystems - Irvine United States
656b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_idmap_batch_destroy(&sib);
657b89a8333Snatalie li - Sun Microsystems - Irvine United States
6587f667e74Sjose borrego if (token->tkn_user.i_sid == NULL ||
6597f667e74Sjose borrego token->tkn_primary_grp.i_sid == NULL)
660b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NT_STATUS_NO_MEMORY);
661b89a8333Snatalie li - Sun Microsystems - Irvine United States
6627f667e74Sjose borrego return (smb_token_setup_wingrps(token));
663b89a8333Snatalie li - Sun Microsystems - Irvine United States }
664b89a8333Snatalie li - Sun Microsystems - Irvine United States
665b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
66629bd2886SAlan Wright * Setup access token for guest connections
66729bd2886SAlan Wright */
66829bd2886SAlan Wright static uint32_t
smb_token_setup_guest(smb_logon_t * user_info,smb_token_t * token)6699fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
67029bd2886SAlan Wright {
6719fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States token->tkn_account_name = strdup(user_info->lg_e_username);
67229bd2886SAlan Wright
67329bd2886SAlan Wright (void) rw_rdlock(&smb_logoninit_rwl);
67429bd2886SAlan Wright token->tkn_domain_name = strdup(smb_guest.a_domain);
67529bd2886SAlan Wright token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
67629bd2886SAlan Wright token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
67729bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
67829bd2886SAlan Wright token->tkn_flags = SMB_ATF_GUEST;
67929bd2886SAlan Wright
68029bd2886SAlan Wright if (token->tkn_account_name == NULL ||
68129bd2886SAlan Wright token->tkn_domain_name == NULL ||
68229bd2886SAlan Wright token->tkn_user.i_sid == NULL ||
68329bd2886SAlan Wright token->tkn_primary_grp.i_sid == NULL)
68429bd2886SAlan Wright return (NT_STATUS_NO_MEMORY);
68529bd2886SAlan Wright
68629bd2886SAlan Wright return (smb_token_setup_wingrps(token));
68729bd2886SAlan Wright }
68829bd2886SAlan Wright
68929bd2886SAlan Wright /*
69029bd2886SAlan Wright * Setup access token for anonymous connections
691b89a8333Snatalie li - Sun Microsystems - Irvine United States */
6927f667e74Sjose borrego static uint32_t
smb_token_setup_anon(smb_token_t * token)6937f667e74Sjose borrego smb_token_setup_anon(smb_token_t *token)
694b89a8333Snatalie li - Sun Microsystems - Irvine United States {
6957f667e74Sjose borrego smb_sid_t *user_sid;
696b89a8333Snatalie li - Sun Microsystems - Irvine United States
6977f667e74Sjose borrego token->tkn_account_name = strdup("Anonymous");
6987f667e74Sjose borrego token->tkn_domain_name = strdup("NT Authority");
6997f667e74Sjose borrego user_sid = smb_wka_get_sid("Anonymous");
7007f667e74Sjose borrego token->tkn_user.i_sid = smb_sid_dup(user_sid);
7017f667e74Sjose borrego token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
7027f667e74Sjose borrego token->tkn_flags = SMB_ATF_ANON;
703b89a8333Snatalie li - Sun Microsystems - Irvine United States
7047f667e74Sjose borrego if (token->tkn_account_name == NULL ||
7057f667e74Sjose borrego token->tkn_domain_name == NULL ||
7067f667e74Sjose borrego token->tkn_user.i_sid == NULL ||
7077f667e74Sjose borrego token->tkn_primary_grp.i_sid == NULL)
7087f667e74Sjose borrego return (NT_STATUS_NO_MEMORY);
7097f667e74Sjose borrego
7107f667e74Sjose borrego return (smb_token_setup_wingrps(token));
711b89a8333Snatalie li - Sun Microsystems - Irvine United States }
712b89a8333Snatalie li - Sun Microsystems - Irvine United States
713b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
714b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_user_sid
715b89a8333Snatalie li - Sun Microsystems - Irvine United States *
716b89a8333Snatalie li - Sun Microsystems - Irvine United States * Return a pointer to the user SID in the specified token. A null
717b89a8333Snatalie li - Sun Microsystems - Irvine United States * pointer indicates an error.
718b89a8333Snatalie li - Sun Microsystems - Irvine United States */
719b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_sid_t *
smb_token_user_sid(smb_token_t * token)720b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_user_sid(smb_token_t *token)
721b89a8333Snatalie li - Sun Microsystems - Irvine United States {
7227f667e74Sjose borrego return ((token) ? token->tkn_user.i_sid : NULL);
723b89a8333Snatalie li - Sun Microsystems - Irvine United States }
724b89a8333Snatalie li - Sun Microsystems - Irvine United States
725b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
726b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_group_sid
727b89a8333Snatalie li - Sun Microsystems - Irvine United States *
728b89a8333Snatalie li - Sun Microsystems - Irvine United States * Return a pointer to the group SID as indicated by the iterator.
729b89a8333Snatalie li - Sun Microsystems - Irvine United States * Setting the iterator to 0 before calling this function will return
730b89a8333Snatalie li - Sun Microsystems - Irvine United States * the first group, which will always be the primary group. The
731b89a8333Snatalie li - Sun Microsystems - Irvine United States * iterator will be incremented before returning the SID so that this
732b89a8333Snatalie li - Sun Microsystems - Irvine United States * function can be used to cycle through the groups. The caller can
733b89a8333Snatalie li - Sun Microsystems - Irvine United States * adjust the iterator as required between calls to obtain any specific
734b89a8333Snatalie li - Sun Microsystems - Irvine United States * group.
735b89a8333Snatalie li - Sun Microsystems - Irvine United States *
736b89a8333Snatalie li - Sun Microsystems - Irvine United States * On success a pointer to the appropriate group SID will be returned.
737b89a8333Snatalie li - Sun Microsystems - Irvine United States * Otherwise a null pointer will be returned.
738b89a8333Snatalie li - Sun Microsystems - Irvine United States */
739b89a8333Snatalie li - Sun Microsystems - Irvine United States static smb_sid_t *
smb_token_group_sid(smb_token_t * token,int * iterator)740b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_group_sid(smb_token_t *token, int *iterator)
741b89a8333Snatalie li - Sun Microsystems - Irvine United States {
742b89a8333Snatalie li - Sun Microsystems - Irvine United States int index;
743b89a8333Snatalie li - Sun Microsystems - Irvine United States
7447f667e74Sjose borrego if (token == NULL || iterator == NULL)
745b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
746b89a8333Snatalie li - Sun Microsystems - Irvine United States
7477f667e74Sjose borrego if (token->tkn_win_grps.i_ids == NULL)
748b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
749b89a8333Snatalie li - Sun Microsystems - Irvine United States
750b89a8333Snatalie li - Sun Microsystems - Irvine United States index = *iterator;
751b89a8333Snatalie li - Sun Microsystems - Irvine United States
7527f667e74Sjose borrego if (index < 0 || index >= token->tkn_win_grps.i_cnt)
753b89a8333Snatalie li - Sun Microsystems - Irvine United States return (NULL);
754b89a8333Snatalie li - Sun Microsystems - Irvine United States
755b89a8333Snatalie li - Sun Microsystems - Irvine United States ++(*iterator);
7567f667e74Sjose borrego return (token->tkn_win_grps.i_ids[index].i_sid);
757b89a8333Snatalie li - Sun Microsystems - Irvine United States }
758b89a8333Snatalie li - Sun Microsystems - Irvine United States
759b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
760b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_is_member
761b89a8333Snatalie li - Sun Microsystems - Irvine United States *
762b89a8333Snatalie li - Sun Microsystems - Irvine United States * This function will determine whether or not the specified SID is a
763b89a8333Snatalie li - Sun Microsystems - Irvine United States * member of a token. The user SID and all group SIDs are tested.
764b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns 1 if the SID is a member of the token. Otherwise returns 0.
765b89a8333Snatalie li - Sun Microsystems - Irvine United States */
7667f667e74Sjose borrego static boolean_t
smb_token_is_member(smb_token_t * token,smb_sid_t * sid)767b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
768b89a8333Snatalie li - Sun Microsystems - Irvine United States {
769b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_sid_t *tsid;
770b89a8333Snatalie li - Sun Microsystems - Irvine United States int iterator = 0;
771b89a8333Snatalie li - Sun Microsystems - Irvine United States
7727f667e74Sjose borrego if (token == NULL || sid == NULL)
7737f667e74Sjose borrego return (B_FALSE);
7747f667e74Sjose borrego
775b89a8333Snatalie li - Sun Microsystems - Irvine United States tsid = smb_token_user_sid(token);
776b89a8333Snatalie li - Sun Microsystems - Irvine United States while (tsid) {
777b89a8333Snatalie li - Sun Microsystems - Irvine United States if (smb_sid_cmp(tsid, sid))
7787f667e74Sjose borrego return (B_TRUE);
779b89a8333Snatalie li - Sun Microsystems - Irvine United States
780b89a8333Snatalie li - Sun Microsystems - Irvine United States tsid = smb_token_group_sid(token, &iterator);
781b89a8333Snatalie li - Sun Microsystems - Irvine United States }
782b89a8333Snatalie li - Sun Microsystems - Irvine United States
7837f667e74Sjose borrego return (B_FALSE);
784b89a8333Snatalie li - Sun Microsystems - Irvine United States }
785b89a8333Snatalie li - Sun Microsystems - Irvine United States
786b89a8333Snatalie li - Sun Microsystems - Irvine United States /*
787b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_token_log
788b89a8333Snatalie li - Sun Microsystems - Irvine United States *
789b89a8333Snatalie li - Sun Microsystems - Irvine United States * Diagnostic routine to write the contents of a token to the log.
790b89a8333Snatalie li - Sun Microsystems - Irvine United States */
791b89a8333Snatalie li - Sun Microsystems - Irvine United States void
smb_token_log(smb_token_t * token)792b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_token_log(smb_token_t *token)
793b89a8333Snatalie li - Sun Microsystems - Irvine United States {
7947f667e74Sjose borrego smb_ids_t *w_grps;
7957f667e74Sjose borrego smb_id_t *grp;
796b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_posix_grps_t *x_grps;
797b89a8333Snatalie li - Sun Microsystems - Irvine United States char sidstr[SMB_SID_STRSZ];
798b89a8333Snatalie li - Sun Microsystems - Irvine United States int i;
799b89a8333Snatalie li - Sun Microsystems - Irvine United States
800b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token == NULL)
801b89a8333Snatalie li - Sun Microsystems - Irvine United States return;
802b89a8333Snatalie li - Sun Microsystems - Irvine United States
803b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, "Token for %s\\%s",
804b89a8333Snatalie li - Sun Microsystems - Irvine United States (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
805b89a8333Snatalie li - Sun Microsystems - Irvine United States (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
806b89a8333Snatalie li - Sun Microsystems - Irvine United States
8077f667e74Sjose borrego syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs);
8087f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
8097f667e74Sjose borrego syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr,
8107f667e74Sjose borrego token->tkn_user.i_id);
811b89a8333Snatalie li - Sun Microsystems - Irvine United States
8127f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
813b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)",
8147f667e74Sjose borrego sidstr, token->tkn_owner.i_id);
815b89a8333Snatalie li - Sun Microsystems - Irvine United States
8167f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
817b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)",
8187f667e74Sjose borrego sidstr, token->tkn_primary_grp.i_id);
819b89a8333Snatalie li - Sun Microsystems - Irvine United States
8207f667e74Sjose borrego w_grps = &token->tkn_win_grps;
8217f667e74Sjose borrego if (w_grps->i_ids) {
8227f667e74Sjose borrego syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt);
8237f667e74Sjose borrego grp = w_grps->i_ids;
8247f667e74Sjose borrego for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
825b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG,
8267f667e74Sjose borrego " Grp[%d].Attr:%d", i, grp->i_attrs);
8277f667e74Sjose borrego if (grp->i_sid != NULL) {
8287f667e74Sjose borrego smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
829b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG,
830b89a8333Snatalie li - Sun Microsystems - Irvine United States " Grp[%d].Sid: %s (id=%u)", i, sidstr,
8317f667e74Sjose borrego grp->i_id);
832b89a8333Snatalie li - Sun Microsystems - Irvine United States }
833b89a8333Snatalie li - Sun Microsystems - Irvine United States }
8347f667e74Sjose borrego } else {
835b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " No Windows groups");
8367f667e74Sjose borrego }
837b89a8333Snatalie li - Sun Microsystems - Irvine United States
838b89a8333Snatalie li - Sun Microsystems - Irvine United States x_grps = token->tkn_posix_grps;
839b89a8333Snatalie li - Sun Microsystems - Irvine United States if (x_grps) {
8407f667e74Sjose borrego syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps);
841b89a8333Snatalie li - Sun Microsystems - Irvine United States for (i = 0; i < x_grps->pg_ngrps; i++)
8427f667e74Sjose borrego syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]);
8437f667e74Sjose borrego } else {
844b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " No Solaris groups");
8457f667e74Sjose borrego }
846b89a8333Snatalie li - Sun Microsystems - Irvine United States
847b89a8333Snatalie li - Sun Microsystems - Irvine United States if (token->tkn_privileges)
848b89a8333Snatalie li - Sun Microsystems - Irvine United States smb_privset_log(token->tkn_privileges);
849b89a8333Snatalie li - Sun Microsystems - Irvine United States else
850b89a8333Snatalie li - Sun Microsystems - Irvine United States syslog(LOG_DEBUG, " No privileges");
851b89a8333Snatalie li - Sun Microsystems - Irvine United States }
8527f667e74Sjose borrego
8537f667e74Sjose borrego /*
8547f667e74Sjose borrego * Sets up local and well-known group membership for the given
8557f667e74Sjose borrego * token. Two assumptions have been made here:
8567f667e74Sjose borrego *
8577f667e74Sjose borrego * a) token already contains a valid user SID so that group
8587f667e74Sjose borrego * memberships can be established
8597f667e74Sjose borrego *
8607f667e74Sjose borrego * b) token belongs to a local or anonymous user
8617f667e74Sjose borrego */
8627f667e74Sjose borrego static uint32_t
smb_token_setup_wingrps(smb_token_t * token)8637f667e74Sjose borrego smb_token_setup_wingrps(smb_token_t *token)
8647f667e74Sjose borrego {
8657f667e74Sjose borrego smb_ids_t tkn_grps;
8667f667e74Sjose borrego uint32_t status;
8677f667e74Sjose borrego
8687f667e74Sjose borrego
8697f667e74Sjose borrego /*
8707f667e74Sjose borrego * We always want the user's primary group in the list
8717f667e74Sjose borrego * of groups.
8727f667e74Sjose borrego */
8737f667e74Sjose borrego tkn_grps.i_cnt = 1;
8747f667e74Sjose borrego if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
8757f667e74Sjose borrego return (NT_STATUS_NO_MEMORY);
8767f667e74Sjose borrego
8777f667e74Sjose borrego tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
8787f667e74Sjose borrego tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
8797f667e74Sjose borrego if (tkn_grps.i_ids->i_sid == NULL) {
8807f667e74Sjose borrego smb_ids_free(&tkn_grps);
8817f667e74Sjose borrego return (NT_STATUS_NO_MEMORY);
8827f667e74Sjose borrego }
8837f667e74Sjose borrego
8847f667e74Sjose borrego status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
8857f667e74Sjose borrego if (status != NT_STATUS_SUCCESS) {
8867f667e74Sjose borrego smb_ids_free(&tkn_grps);
8877f667e74Sjose borrego return (status);
8887f667e74Sjose borrego }
8897f667e74Sjose borrego
89029bd2886SAlan Wright status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
8917f667e74Sjose borrego if (status != NT_STATUS_SUCCESS) {
8927f667e74Sjose borrego smb_ids_free(&tkn_grps);
8937f667e74Sjose borrego return (status);
8947f667e74Sjose borrego }
8957f667e74Sjose borrego
8967f667e74Sjose borrego token->tkn_win_grps = tkn_grps;
8977f667e74Sjose borrego return (status);
8987f667e74Sjose borrego }
89929bd2886SAlan Wright
90029bd2886SAlan Wright /*
90129bd2886SAlan Wright * Returns the guest account name in the provided buffer.
90229bd2886SAlan Wright *
90329bd2886SAlan Wright * By default the name would be "guest" unless there's
90429bd2886SAlan Wright * a idmap name-based rule which maps the guest to a local
90529bd2886SAlan Wright * Solaris user in which case the name of that user is
90629bd2886SAlan Wright * returned.
90729bd2886SAlan Wright */
90829bd2886SAlan Wright static void
smb_guest_account(char * guest,size_t buflen)90929bd2886SAlan Wright smb_guest_account(char *guest, size_t buflen)
91029bd2886SAlan Wright {
91129bd2886SAlan Wright idmap_stat stat;
91229bd2886SAlan Wright uid_t guest_uid;
91329bd2886SAlan Wright struct passwd pw;
91429bd2886SAlan Wright char pwbuf[1024];
91529bd2886SAlan Wright int idtype;
91629bd2886SAlan Wright
91729bd2886SAlan Wright /* default Guest account name */
91829bd2886SAlan Wright (void) rw_rdlock(&smb_logoninit_rwl);
91929bd2886SAlan Wright (void) strlcpy(guest, smb_guest.a_name, buflen);
92029bd2886SAlan Wright
92129bd2886SAlan Wright idtype = SMB_IDMAP_USER;
92229bd2886SAlan Wright stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
92329bd2886SAlan Wright (void) rw_unlock(&smb_logoninit_rwl);
92429bd2886SAlan Wright
92529bd2886SAlan Wright if (stat != IDMAP_SUCCESS)
92629bd2886SAlan Wright return;
92729bd2886SAlan Wright
9289fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /* If Ephemeral ID return the default name */
9299fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
93029bd2886SAlan Wright return;
93129bd2886SAlan Wright
93229bd2886SAlan Wright if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
93329bd2886SAlan Wright return;
93429bd2886SAlan Wright
93529bd2886SAlan Wright (void) strlcpy(guest, pw.pw_name, buflen);
93629bd2886SAlan Wright }
937