xref: /titanic_51/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c (revision 3d5869cc80c26887ee2c78b0f35e58f574e97192)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Security database interface.
28  */
29 #include <unistd.h>
30 #include <strings.h>
31 #include <pwd.h>
32 #include <grp.h>
33 #include <time.h>
34 #include <syslog.h>
35 #include <assert.h>
36 #include <synch.h>
37 
38 #include <smbsrv/libsmb.h>
39 #include <smbsrv/libmlsvc.h>
40 
41 #include <smbsrv/smbinfo.h>
42 #include <smbsrv/smb_token.h>
43 #include <lsalib.h>
44 
45 static smb_account_t smb_guest;
46 static smb_account_t smb_domusers;
47 static rwlock_t smb_logoninit_rwl;
48 
49 extern uint32_t netlogon_logon(netr_client_t *, smb_token_t *);
50 static uint32_t smb_logon_domain(netr_client_t *, smb_token_t *);
51 static uint32_t smb_logon_local(netr_client_t *, smb_token_t *);
52 static uint32_t smb_logon_guest(netr_client_t *, smb_token_t *);
53 static uint32_t smb_logon_anon(netr_client_t *, smb_token_t *);
54 
55 static uint32_t smb_token_auth_local(netr_client_t *, smb_token_t *,
56     smb_passwd_t *);
57 
58 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
59 static uint32_t smb_token_setup_guest(netr_client_t *, smb_token_t *);
60 static uint32_t smb_token_setup_anon(smb_token_t *token);
61 
62 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
63 static uint32_t smb_token_setup_wingrps(smb_token_t *);
64 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
65 
66 static void smb_guest_account(char *, size_t);
67 
68 /* Consolidation private function from Network Repository */
69 extern int _getgroupsbymember(const char *, gid_t[], int, int);
70 
71 static idmap_stat
72 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
73 {
74 	idmap_stat stat;
75 	smb_idmap_t *sim;
76 	smb_id_t *id;
77 	int i;
78 
79 	if (!token || !sib)
80 		return (IDMAP_ERR_ARG);
81 
82 	sim = sib->sib_maps;
83 
84 	if (token->tkn_flags & SMB_ATF_ANON) {
85 		token->tkn_user.i_id = UID_NOBODY;
86 		token->tkn_owner.i_id = UID_NOBODY;
87 	} else {
88 		/* User SID */
89 		id = &token->tkn_user;
90 		sim->sim_id = &id->i_id;
91 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
92 		    id->i_sid, SMB_IDMAP_USER);
93 
94 		if (stat != IDMAP_SUCCESS)
95 			return (stat);
96 
97 		/* Owner SID */
98 		id = &token->tkn_owner;
99 		sim->sim_id = &id->i_id;
100 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
101 		    id->i_sid, SMB_IDMAP_USER);
102 
103 		if (stat != IDMAP_SUCCESS)
104 			return (stat);
105 	}
106 
107 	/* Primary Group SID */
108 	id = &token->tkn_primary_grp;
109 	sim->sim_id = &id->i_id;
110 	stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
111 	    SMB_IDMAP_GROUP);
112 
113 	if (stat != IDMAP_SUCCESS)
114 		return (stat);
115 
116 	/* Other Windows Group SIDs */
117 	for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
118 		id = &token->tkn_win_grps.i_ids[i];
119 		sim->sim_id = &id->i_id;
120 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
121 		    id->i_sid, SMB_IDMAP_GROUP);
122 
123 		if (stat != IDMAP_SUCCESS)
124 			break;
125 	}
126 
127 	return (stat);
128 }
129 
130 /*
131  * smb_token_sids2ids
132  *
133  * This will map all the SIDs of the access token to UIDs/GIDs.
134  *
135  * Returns 0 upon success.  Otherwise, returns -1.
136  */
137 static int
138 smb_token_sids2ids(smb_token_t *token)
139 {
140 	idmap_stat stat;
141 	int nmaps, retries = 0;
142 	smb_idmap_batch_t sib;
143 
144 	/*
145 	 * Number of idmap lookups: user SID, owner SID, primary group SID,
146 	 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
147 	 */
148 	if (token->tkn_flags & SMB_ATF_ANON)
149 		nmaps = token->tkn_win_grps.i_cnt + 1;
150 	else
151 		nmaps = token->tkn_win_grps.i_cnt + 3;
152 
153 	do {
154 		stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
155 		if (stat != IDMAP_SUCCESS)
156 			return (-1);
157 
158 		stat = smb_token_idmap(token, &sib);
159 		if (stat != IDMAP_SUCCESS) {
160 			smb_idmap_batch_destroy(&sib);
161 			return (-1);
162 		}
163 
164 		stat = smb_idmap_batch_getmappings(&sib);
165 		smb_idmap_batch_destroy(&sib);
166 		if (stat == IDMAP_ERR_RPC_HANDLE)
167 			if (smb_idmap_restart() < 0)
168 				break;
169 	} while (stat == IDMAP_ERR_RPC_HANDLE && retries++ < 3);
170 
171 	return (stat == IDMAP_SUCCESS ? 0 : -1);
172 }
173 
174 /*
175  * smb_token_create_pxgrps
176  *
177  * Setup the POSIX group membership of the access token if the given UID is
178  * a POSIX UID (non-ephemeral). Both the user's primary group and
179  * supplementary groups will be added to the POSIX group array of the access
180  * token.
181  */
182 static smb_posix_grps_t *
183 smb_token_create_pxgrps(uid_t uid)
184 {
185 	struct passwd *pwd;
186 	smb_posix_grps_t *pgrps;
187 	int ngroups_max, num;
188 	gid_t *gids;
189 
190 	if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
191 		syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
192 		return (NULL);
193 	}
194 
195 	pwd = getpwuid(uid);
196 	if (pwd == NULL) {
197 		pgrps = malloc(sizeof (smb_posix_grps_t));
198 		if (pgrps == NULL)
199 			return (NULL);
200 
201 		pgrps->pg_ngrps = 0;
202 		return (pgrps);
203 	}
204 
205 	if (pwd->pw_name == NULL) {
206 		pgrps = malloc(sizeof (smb_posix_grps_t));
207 		if (pgrps == NULL)
208 			return (NULL);
209 
210 		pgrps->pg_ngrps = 1;
211 		pgrps->pg_grps[0] = pwd->pw_gid;
212 		return (pgrps);
213 	}
214 
215 	gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
216 	if (gids == NULL) {
217 		return (NULL);
218 	}
219 	bzero(gids, ngroups_max * sizeof (gid_t));
220 
221 	gids[0] = pwd->pw_gid;
222 
223 	/*
224 	 * Setup the groups starting at index 1 (the last arg)
225 	 * of gids array.
226 	 */
227 	num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
228 
229 	if (num == -1) {
230 		syslog(LOG_ERR, "smb_logon: unable "
231 		    "to get user's supplementary groups");
232 		num = 1;
233 	}
234 
235 	pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
236 	if (pgrps) {
237 		pgrps->pg_ngrps = num;
238 		bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
239 	}
240 
241 	free(gids);
242 	return (pgrps);
243 }
244 
245 /*
246  * smb_token_destroy
247  *
248  * Release all of the memory associated with a token structure. Ensure
249  * that the token has been unlinked before calling.
250  */
251 void
252 smb_token_destroy(smb_token_t *token)
253 {
254 	if (token != NULL) {
255 		smb_sid_free(token->tkn_user.i_sid);
256 		smb_sid_free(token->tkn_owner.i_sid);
257 		smb_sid_free(token->tkn_primary_grp.i_sid);
258 		smb_ids_free(&token->tkn_win_grps);
259 		smb_privset_free(token->tkn_privileges);
260 		free(token->tkn_posix_grps);
261 		free(token->tkn_account_name);
262 		free(token->tkn_domain_name);
263 		free(token->tkn_session_key);
264 		free(token);
265 	}
266 }
267 
268 /*
269  * Token owner should be set to local Administrators group
270  * in two cases:
271  *   1. The logged on user is a member of Domain Admins group
272  *   2. he/she is a member of local Administrators group
273  */
274 static void
275 smb_token_set_owner(smb_token_t *token)
276 {
277 #ifdef SMB_SUPPORT_GROUP_OWNER
278 	smb_sid_t *owner_sid;
279 
280 	if (token->tkn_flags & SMB_ATF_ADMIN) {
281 		owner_sid = smb_wka_get_sid("Administrators");
282 		assert(owner_sid);
283 	} else {
284 		owner_sid = token->tkn_user->i_sid;
285 	}
286 
287 	token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
288 #endif
289 	token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
290 }
291 
292 static smb_privset_t *
293 smb_token_create_privs(smb_token_t *token)
294 {
295 	smb_privset_t *privs;
296 	smb_giter_t gi;
297 	smb_group_t grp;
298 	int rc;
299 
300 	privs = smb_privset_new();
301 	if (privs == NULL)
302 		return (NULL);
303 
304 	if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
305 		smb_privset_free(privs);
306 		return (NULL);
307 	}
308 
309 	while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
310 		if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
311 			smb_privset_merge(privs, grp.sg_privs);
312 		smb_lgrp_free(&grp);
313 	}
314 	smb_lgrp_iterclose(&gi);
315 
316 	if (token->tkn_flags & SMB_ATF_ADMIN) {
317 		rc = smb_lgrp_getbyname("Administrators", &grp);
318 		if (rc == SMB_LGRP_SUCCESS) {
319 			smb_privset_merge(privs, grp.sg_privs);
320 			smb_lgrp_free(&grp);
321 		}
322 
323 		/*
324 		 * This privilege is required to view/edit SACL
325 		 */
326 		smb_privset_enable(privs, SE_SECURITY_LUID);
327 	}
328 
329 	return (privs);
330 }
331 
332 static void
333 smb_token_set_flags(smb_token_t *token)
334 {
335 	if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
336 		token->tkn_flags |= SMB_ATF_ADMIN;
337 
338 	if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
339 		token->tkn_flags |= SMB_ATF_POWERUSER;
340 
341 	if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
342 		token->tkn_flags |= SMB_ATF_BACKUPOP;
343 }
344 
345 /*
346  * Common token setup for both local and domain users.
347  * This function must be called after the initial setup
348  * has been done.
349  *
350  * Note that the order of calls in this function are important.
351  */
352 static uint32_t
353 smb_token_setup_common(smb_token_t *token)
354 {
355 	smb_token_set_flags(token);
356 
357 	smb_token_set_owner(token);
358 	if (token->tkn_owner.i_sid == NULL)
359 		return (NT_STATUS_NO_MEMORY);
360 
361 	/* Privileges */
362 	token->tkn_privileges = smb_token_create_privs(token);
363 	if (token->tkn_privileges == NULL)
364 		return (NT_STATUS_NO_MEMORY);
365 
366 	if (smb_token_sids2ids(token) != 0) {
367 		syslog(LOG_ERR, "%s\\%s: idmap failed",
368 		    token->tkn_domain_name, token->tkn_account_name);
369 		return (NT_STATUS_INTERNAL_ERROR);
370 	}
371 
372 	/* Solaris Groups */
373 	token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
374 
375 	return (NT_STATUS_SUCCESS);
376 }
377 
378 uint32_t
379 smb_logon_init(void)
380 {
381 	uint32_t status;
382 
383 	(void) rw_wrlock(&smb_logoninit_rwl);
384 	status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
385 	if (status != NT_STATUS_SUCCESS) {
386 		(void) rw_unlock(&smb_logoninit_rwl);
387 		return (status);
388 	}
389 
390 	status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
391 	    &smb_domusers);
392 	if (status != NT_STATUS_SUCCESS) {
393 		smb_account_free(&smb_guest);
394 		bzero(&smb_guest, sizeof (smb_account_t));
395 		(void) rw_unlock(&smb_logoninit_rwl);
396 		return (status);
397 	}
398 
399 	(void) rw_unlock(&smb_logoninit_rwl);
400 	return (status);
401 }
402 
403 void
404 smb_logon_fini(void)
405 {
406 	(void) rw_wrlock(&smb_logoninit_rwl);
407 	smb_account_free(&smb_guest);
408 	smb_account_free(&smb_domusers);
409 	bzero(&smb_guest, sizeof (smb_account_t));
410 	bzero(&smb_domusers, sizeof (smb_account_t));
411 	(void) rw_unlock(&smb_logoninit_rwl);
412 }
413 
414 /*
415  * smb_logon
416  *
417  * Performs user authentication and creates a token if the
418  * authentication is successful.
419  *
420  * Returns pointer to the created token.
421  */
422 smb_token_t *
423 smb_logon(netr_client_t *clnt)
424 {
425 	smb_token_t *token = NULL;
426 	uint32_t status;
427 
428 	if ((token = malloc(sizeof (smb_token_t))) == NULL) {
429 		syslog(LOG_ERR, "smb_logon: resource shortage");
430 		return (NULL);
431 	}
432 	bzero(token, sizeof (smb_token_t));
433 
434 	status = smb_logon_anon(clnt, token);
435 	if (status == NT_STATUS_INVALID_LOGON_TYPE) {
436 		status = smb_logon_local(clnt, token);
437 		if ((status != NT_STATUS_SUCCESS) &&
438 		    (smb_config_get_secmode() == SMB_SECMODE_DOMAIN)) {
439 			if ((status == NT_STATUS_INVALID_LOGON_TYPE) ||
440 			    (*clnt->e_domain == '\0'))
441 				status = smb_logon_domain(clnt, token);
442 		}
443 
444 		if (status == NT_STATUS_NO_SUCH_USER)
445 			status = smb_logon_guest(clnt, token);
446 	}
447 
448 	if (status == NT_STATUS_SUCCESS) {
449 		if (smb_token_setup_common(token) == NT_STATUS_SUCCESS)
450 			return (token);
451 	}
452 
453 	smb_token_destroy(token);
454 	return (NULL);
455 }
456 
457 /*
458  * smb_logon_domain
459  *
460  * Performs pass through authentication with PDC.
461  */
462 static uint32_t
463 smb_logon_domain(netr_client_t *clnt, smb_token_t *token)
464 {
465 	uint32_t status;
466 
467 	if ((status = netlogon_logon(clnt, token)) != 0) {
468 		if (status == NT_STATUS_CANT_ACCESS_DOMAIN_INFO) {
469 			if ((status = netlogon_logon(clnt, token)) != 0) {
470 				syslog(LOG_INFO, "SmbLogon[%s\\%s]: %s",
471 				    clnt->e_domain, clnt->e_username,
472 				    xlate_nt_status(status));
473 				return (status);
474 			}
475 		}
476 	}
477 
478 	return (status);
479 }
480 
481 /*
482  * smb_logon_local
483  *
484  * Check to see if connected user has an entry in the local
485  * smbpasswd database. If it has, tries both LM hash and NT
486  * hash with user's password(s) to authenticate the user.
487  */
488 static uint32_t
489 smb_logon_local(netr_client_t *clnt, smb_token_t *token)
490 {
491 	char guest[SMB_USERNAME_MAXLEN];
492 	smb_passwd_t smbpw;
493 	uint32_t status;
494 	smb_domain_t domain;
495 	boolean_t isguest;
496 
497 	/* Make sure this is not a domain user */
498 	if (smb_config_get_secmode() == SMB_SECMODE_DOMAIN) {
499 		if (smb_domain_lookup_name(clnt->e_domain, &domain)) {
500 			if (domain.di_type != SMB_DOMAIN_LOCAL)
501 				return (NT_STATUS_INVALID_LOGON_TYPE);
502 		}
503 	}
504 
505 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
506 	isguest = (smb_strcasecmp(guest, clnt->e_username, 0) == 0);
507 
508 	status = smb_token_auth_local(clnt, token, &smbpw);
509 	if (status == NT_STATUS_SUCCESS) {
510 		if (isguest)
511 			status = smb_token_setup_guest(clnt, token);
512 		else
513 			status = smb_token_setup_local(&smbpw, token);
514 	}
515 
516 	return (status);
517 }
518 
519 /*
520  * If there's a local guest account with password or if
521  * guest is mapped to a local account with password then
522  * it should be authenticated
523  */
524 static uint32_t
525 smb_logon_guest(netr_client_t *clnt, smb_token_t *token)
526 {
527 	char guest[SMB_USERNAME_MAXLEN];
528 	smb_passwd_t smbpw;
529 	char *temp;
530 	uint32_t status;
531 
532 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
533 	temp = clnt->e_username;
534 	clnt->e_username = guest;
535 
536 	status = smb_token_auth_local(clnt, token, &smbpw);
537 	if ((status == NT_STATUS_SUCCESS) ||
538 	    (status == NT_STATUS_NO_SUCH_USER)) {
539 		status = smb_token_setup_guest(clnt, token);
540 	}
541 
542 	clnt->e_username = temp;
543 	return (status);
544 }
545 
546 /*
547  * If 'clnt' represents an anonymous user (no password)
548  * then setup the token accordingly, otherwise return
549  * NT_STATUS_INVALID_LOGON_TYPE
550  */
551 static uint32_t
552 smb_logon_anon(netr_client_t *clnt, smb_token_t *token)
553 {
554 	if ((clnt->nt_password.nt_password_len == 0) &&
555 	    (clnt->lm_password.lm_password_len == 0 ||
556 	    (clnt->lm_password.lm_password_len == 1 &&
557 	    *clnt->lm_password.lm_password_val == '\0'))) {
558 		return (smb_token_setup_anon(token));
559 	}
560 
561 	return (NT_STATUS_INVALID_LOGON_TYPE);
562 }
563 
564 static uint32_t
565 smb_token_auth_local(netr_client_t *clnt, smb_token_t *token,
566     smb_passwd_t *smbpw)
567 {
568 	boolean_t lm_ok, nt_ok;
569 	uint32_t status = NT_STATUS_SUCCESS;
570 
571 	if (smb_pwd_getpwnam(clnt->e_username, smbpw) == NULL)
572 		return (NT_STATUS_NO_SUCH_USER);
573 
574 	if (smbpw->pw_flags & SMB_PWF_DISABLE)
575 		return (NT_STATUS_ACCOUNT_DISABLED);
576 
577 	nt_ok = lm_ok = B_FALSE;
578 	if ((smbpw->pw_flags & SMB_PWF_LM) &&
579 	    (clnt->lm_password.lm_password_len != 0)) {
580 		lm_ok = smb_auth_validate_lm(
581 		    clnt->challenge_key.challenge_key_val,
582 		    clnt->challenge_key.challenge_key_len,
583 		    smbpw,
584 		    clnt->lm_password.lm_password_val,
585 		    clnt->lm_password.lm_password_len,
586 		    clnt->domain,
587 		    clnt->username);
588 		token->tkn_session_key = NULL;
589 	}
590 
591 	if (!lm_ok && (clnt->nt_password.nt_password_len != 0)) {
592 		token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ);
593 		if (token->tkn_session_key == NULL)
594 			return (NT_STATUS_NO_MEMORY);
595 		nt_ok = smb_auth_validate_nt(
596 		    clnt->challenge_key.challenge_key_val,
597 		    clnt->challenge_key.challenge_key_len,
598 		    smbpw,
599 		    clnt->nt_password.nt_password_val,
600 		    clnt->nt_password.nt_password_len,
601 		    clnt->domain,
602 		    clnt->username,
603 		    (uchar_t *)token->tkn_session_key);
604 	}
605 
606 	if (!nt_ok && !lm_ok) {
607 		status = NT_STATUS_WRONG_PASSWORD;
608 		syslog(LOG_NOTICE, "SmbLogon[%s\\%s]: %s",
609 		    clnt->e_domain, clnt->e_username,
610 		    xlate_nt_status(status));
611 	}
612 
613 	return (status);
614 }
615 
616 /*
617  * Setup an access token for the specified local user.
618  */
619 static uint32_t
620 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
621 {
622 	idmap_stat stat;
623 	smb_idmap_batch_t sib;
624 	smb_idmap_t *umap, *gmap;
625 	struct passwd pw;
626 	char pwbuf[1024];
627 	char nbname[NETBIOS_NAME_SZ];
628 
629 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
630 	token->tkn_account_name = strdup(smbpw->pw_name);
631 	token->tkn_domain_name = strdup(nbname);
632 
633 	if (token->tkn_account_name == NULL ||
634 	    token->tkn_domain_name == NULL)
635 		return (NT_STATUS_NO_MEMORY);
636 
637 	if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
638 		return (NT_STATUS_NO_SUCH_USER);
639 
640 	/* Get the SID for user's uid & gid */
641 	stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
642 	if (stat != IDMAP_SUCCESS)
643 		return (NT_STATUS_INTERNAL_ERROR);
644 
645 	umap = &sib.sib_maps[0];
646 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
647 	    SMB_IDMAP_USER);
648 
649 	if (stat != IDMAP_SUCCESS) {
650 		smb_idmap_batch_destroy(&sib);
651 		return (NT_STATUS_INTERNAL_ERROR);
652 	}
653 
654 	gmap = &sib.sib_maps[1];
655 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
656 	    SMB_IDMAP_GROUP);
657 
658 	if (stat != IDMAP_SUCCESS) {
659 		smb_idmap_batch_destroy(&sib);
660 		return (NT_STATUS_INTERNAL_ERROR);
661 	}
662 
663 	if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
664 		return (NT_STATUS_INTERNAL_ERROR);
665 
666 	token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
667 	token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
668 
669 	smb_idmap_batch_destroy(&sib);
670 
671 	if (token->tkn_user.i_sid == NULL ||
672 	    token->tkn_primary_grp.i_sid == NULL)
673 		return (NT_STATUS_NO_MEMORY);
674 
675 	return (smb_token_setup_wingrps(token));
676 }
677 
678 /*
679  * Setup access token for guest connections
680  */
681 static uint32_t
682 smb_token_setup_guest(netr_client_t *clnt, smb_token_t *token)
683 {
684 	token->tkn_account_name = strdup(clnt->e_username);
685 
686 	(void) rw_rdlock(&smb_logoninit_rwl);
687 	token->tkn_domain_name = strdup(smb_guest.a_domain);
688 	token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
689 	token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
690 	(void) rw_unlock(&smb_logoninit_rwl);
691 	token->tkn_flags = SMB_ATF_GUEST;
692 
693 	if (token->tkn_account_name == NULL ||
694 	    token->tkn_domain_name == NULL ||
695 	    token->tkn_user.i_sid == NULL ||
696 	    token->tkn_primary_grp.i_sid == NULL)
697 		return (NT_STATUS_NO_MEMORY);
698 
699 	return (smb_token_setup_wingrps(token));
700 }
701 
702 /*
703  * Setup access token for anonymous connections
704  */
705 static uint32_t
706 smb_token_setup_anon(smb_token_t *token)
707 {
708 	smb_sid_t *user_sid;
709 
710 	token->tkn_account_name = strdup("Anonymous");
711 	token->tkn_domain_name = strdup("NT Authority");
712 	user_sid = smb_wka_get_sid("Anonymous");
713 	token->tkn_user.i_sid = smb_sid_dup(user_sid);
714 	token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
715 	token->tkn_flags = SMB_ATF_ANON;
716 
717 	if (token->tkn_account_name == NULL ||
718 	    token->tkn_domain_name == NULL ||
719 	    token->tkn_user.i_sid == NULL ||
720 	    token->tkn_primary_grp.i_sid == NULL)
721 		return (NT_STATUS_NO_MEMORY);
722 
723 	return (smb_token_setup_wingrps(token));
724 }
725 
726 /*
727  * smb_token_user_sid
728  *
729  * Return a pointer to the user SID in the specified token. A null
730  * pointer indicates an error.
731  */
732 static smb_sid_t *
733 smb_token_user_sid(smb_token_t *token)
734 {
735 	return ((token) ? token->tkn_user.i_sid : NULL);
736 }
737 
738 /*
739  * smb_token_group_sid
740  *
741  * Return a pointer to the group SID as indicated by the iterator.
742  * Setting the iterator to 0 before calling this function will return
743  * the first group, which will always be the primary group. The
744  * iterator will be incremented before returning the SID so that this
745  * function can be used to cycle through the groups. The caller can
746  * adjust the iterator as required between calls to obtain any specific
747  * group.
748  *
749  * On success a pointer to the appropriate group SID will be returned.
750  * Otherwise a null pointer will be returned.
751  */
752 static smb_sid_t *
753 smb_token_group_sid(smb_token_t *token, int *iterator)
754 {
755 	int index;
756 
757 	if (token == NULL || iterator == NULL)
758 		return (NULL);
759 
760 	if (token->tkn_win_grps.i_ids == NULL)
761 		return (NULL);
762 
763 	index = *iterator;
764 
765 	if (index < 0 || index >= token->tkn_win_grps.i_cnt)
766 		return (NULL);
767 
768 	++(*iterator);
769 	return (token->tkn_win_grps.i_ids[index].i_sid);
770 }
771 
772 /*
773  * smb_token_is_member
774  *
775  * This function will determine whether or not the specified SID is a
776  * member of a token. The user SID and all group SIDs are tested.
777  * Returns 1 if the SID is a member of the token. Otherwise returns 0.
778  */
779 static boolean_t
780 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
781 {
782 	smb_sid_t *tsid;
783 	int iterator = 0;
784 
785 	if (token == NULL || sid == NULL)
786 		return (B_FALSE);
787 
788 	tsid = smb_token_user_sid(token);
789 	while (tsid) {
790 		if (smb_sid_cmp(tsid, sid))
791 			return (B_TRUE);
792 
793 		tsid = smb_token_group_sid(token, &iterator);
794 	}
795 
796 	return (B_FALSE);
797 }
798 
799 /*
800  * smb_token_log
801  *
802  * Diagnostic routine to write the contents of a token to the log.
803  */
804 void
805 smb_token_log(smb_token_t *token)
806 {
807 	smb_ids_t *w_grps;
808 	smb_id_t *grp;
809 	smb_posix_grps_t *x_grps;
810 	char sidstr[SMB_SID_STRSZ];
811 	int i;
812 
813 	if (token == NULL)
814 		return;
815 
816 	syslog(LOG_DEBUG, "Token for %s\\%s",
817 	    (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
818 	    (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
819 
820 	syslog(LOG_DEBUG, "   User->Attr: %d", token->tkn_user.i_attrs);
821 	smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
822 	syslog(LOG_DEBUG, "   User->Sid: %s (id=%u)", sidstr,
823 	    token->tkn_user.i_id);
824 
825 	smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
826 	syslog(LOG_DEBUG, "   Ownr->Sid: %s (id=%u)",
827 	    sidstr, token->tkn_owner.i_id);
828 
829 	smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
830 	syslog(LOG_DEBUG, "   PGrp->Sid: %s (id=%u)",
831 	    sidstr, token->tkn_primary_grp.i_id);
832 
833 	w_grps = &token->tkn_win_grps;
834 	if (w_grps->i_ids) {
835 		syslog(LOG_DEBUG, "   Windows groups: %d", w_grps->i_cnt);
836 		grp = w_grps->i_ids;
837 		for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
838 			syslog(LOG_DEBUG,
839 			    "    Grp[%d].Attr:%d", i, grp->i_attrs);
840 			if (grp->i_sid != NULL) {
841 				smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
842 				syslog(LOG_DEBUG,
843 				    "    Grp[%d].Sid: %s (id=%u)", i, sidstr,
844 				    grp->i_id);
845 			}
846 		}
847 	} else {
848 		syslog(LOG_DEBUG, "   No Windows groups");
849 	}
850 
851 	x_grps = token->tkn_posix_grps;
852 	if (x_grps) {
853 		syslog(LOG_DEBUG, "   Solaris groups: %d", x_grps->pg_ngrps);
854 		for (i = 0; i < x_grps->pg_ngrps; i++)
855 			syslog(LOG_DEBUG, "    %u", x_grps->pg_grps[i]);
856 	} else {
857 		syslog(LOG_DEBUG, "   No Solaris groups");
858 	}
859 
860 	if (token->tkn_privileges)
861 		smb_privset_log(token->tkn_privileges);
862 	else
863 		syslog(LOG_DEBUG, "   No privileges");
864 }
865 
866 /*
867  * Sets up local and well-known group membership for the given
868  * token. Two assumptions have been made here:
869  *
870  *   a) token already contains a valid user SID so that group
871  *      memberships can be established
872  *
873  *   b) token belongs to a local or anonymous user
874  */
875 static uint32_t
876 smb_token_setup_wingrps(smb_token_t *token)
877 {
878 	smb_ids_t tkn_grps;
879 	uint32_t status;
880 
881 
882 	/*
883 	 * We always want the user's primary group in the list
884 	 * of groups.
885 	 */
886 	tkn_grps.i_cnt = 1;
887 	if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
888 		return (NT_STATUS_NO_MEMORY);
889 
890 	tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
891 	tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
892 	if (tkn_grps.i_ids->i_sid == NULL) {
893 		smb_ids_free(&tkn_grps);
894 		return (NT_STATUS_NO_MEMORY);
895 	}
896 
897 	status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
898 	if (status != NT_STATUS_SUCCESS) {
899 		smb_ids_free(&tkn_grps);
900 		return (status);
901 	}
902 
903 	status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
904 	if (status != NT_STATUS_SUCCESS) {
905 		smb_ids_free(&tkn_grps);
906 		return (status);
907 	}
908 
909 	token->tkn_win_grps = tkn_grps;
910 	return (status);
911 }
912 
913 /*
914  * Returns the guest account name in the provided buffer.
915  *
916  * By default the name would be "guest" unless there's
917  * a idmap name-based rule which maps the guest to a local
918  * Solaris user in which case the name of that user is
919  * returned.
920  */
921 static void
922 smb_guest_account(char *guest, size_t buflen)
923 {
924 	idmap_stat stat;
925 	uid_t guest_uid;
926 	struct passwd pw;
927 	char pwbuf[1024];
928 	int idtype;
929 
930 	/* default Guest account name */
931 	(void) rw_rdlock(&smb_logoninit_rwl);
932 	(void) strlcpy(guest, smb_guest.a_name, buflen);
933 
934 	idtype = SMB_IDMAP_USER;
935 	stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
936 	(void) rw_unlock(&smb_logoninit_rwl);
937 
938 	if (stat != IDMAP_SUCCESS)
939 		return;
940 
941 	if ((guest_uid > INT32_MAX) && (guest_uid != UINT32_MAX))
942 		/* Ephemeral ID, return the default name */
943 		return;
944 
945 	if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
946 		return;
947 
948 	(void) strlcpy(guest, pw.pw_name, buflen);
949 }
950