xref: /titanic_52/usr/src/lib/smbsrv/libmlsvc/common/smb_logon.c (revision e48cae6f8c603e9a18cdb49fdf939cd4e1753e62)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <unistd.h>
26 #include <strings.h>
27 #include <pwd.h>
28 #include <grp.h>
29 #include <time.h>
30 #include <syslog.h>
31 #include <assert.h>
32 #include <synch.h>
33 
34 #include <smbsrv/libsmb.h>
35 #include <smbsrv/libmlsvc.h>
36 
37 #include <smbsrv/smbinfo.h>
38 #include <smbsrv/smb_token.h>
39 #include <lsalib.h>
40 
41 static smb_account_t smb_guest;
42 static smb_account_t smb_domusers;
43 static rwlock_t smb_logoninit_rwl;
44 
45 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
46 
47 extern void smb_logon_domain(smb_logon_t *, smb_token_t *);
48 static void smb_logon_local(smb_logon_t *, smb_token_t *);
49 static void smb_logon_guest(smb_logon_t *, smb_token_t *);
50 static void smb_logon_anon(smb_logon_t *, smb_token_t *);
51 
52 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
53     smb_passwd_t *);
54 
55 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
56 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
57 static uint32_t smb_token_setup_anon(smb_token_t *token);
58 
59 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
60 static uint32_t smb_token_setup_wingrps(smb_token_t *);
61 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
62 
63 static void smb_guest_account(char *, size_t);
64 
65 /* Consolidation private function from Network Repository */
66 extern int _getgroupsbymember(const char *, gid_t[], int, int);
67 
68 static idmap_stat
69 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
70 {
71 	idmap_stat stat;
72 	smb_idmap_t *sim;
73 	smb_id_t *id;
74 	int i;
75 
76 	if (!token || !sib)
77 		return (IDMAP_ERR_ARG);
78 
79 	sim = sib->sib_maps;
80 
81 	if (token->tkn_flags & SMB_ATF_ANON) {
82 		token->tkn_user.i_id = UID_NOBODY;
83 		token->tkn_owner.i_id = UID_NOBODY;
84 	} else {
85 		/* User SID */
86 		id = &token->tkn_user;
87 		sim->sim_id = &id->i_id;
88 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
89 		    id->i_sid, SMB_IDMAP_USER);
90 
91 		if (stat != IDMAP_SUCCESS)
92 			return (stat);
93 
94 		/* Owner SID */
95 		id = &token->tkn_owner;
96 		sim->sim_id = &id->i_id;
97 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
98 		    id->i_sid, SMB_IDMAP_USER);
99 
100 		if (stat != IDMAP_SUCCESS)
101 			return (stat);
102 	}
103 
104 	/* Primary Group SID */
105 	id = &token->tkn_primary_grp;
106 	sim->sim_id = &id->i_id;
107 	stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
108 	    SMB_IDMAP_GROUP);
109 
110 	if (stat != IDMAP_SUCCESS)
111 		return (stat);
112 
113 	/* Other Windows Group SIDs */
114 	for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
115 		id = &token->tkn_win_grps.i_ids[i];
116 		sim->sim_id = &id->i_id;
117 		stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
118 		    id->i_sid, SMB_IDMAP_GROUP);
119 
120 		if (stat != IDMAP_SUCCESS)
121 			break;
122 	}
123 
124 	return (stat);
125 }
126 
127 /*
128  * smb_token_sids2ids
129  *
130  * This will map all the SIDs of the access token to UIDs/GIDs.
131  *
132  * Returns 0 upon success.  Otherwise, returns -1.
133  */
134 static int
135 smb_token_sids2ids(smb_token_t *token)
136 {
137 	idmap_stat stat;
138 	int nmaps;
139 	smb_idmap_batch_t sib;
140 
141 	/*
142 	 * Number of idmap lookups: user SID, owner SID, primary group SID,
143 	 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
144 	 */
145 	if (token->tkn_flags & SMB_ATF_ANON)
146 		nmaps = token->tkn_win_grps.i_cnt + 1;
147 	else
148 		nmaps = token->tkn_win_grps.i_cnt + 3;
149 
150 	stat = smb_idmap_batch_create(&sib, nmaps, SMB_IDMAP_SID2ID);
151 	if (stat != IDMAP_SUCCESS)
152 		return (-1);
153 
154 	stat = smb_token_idmap(token, &sib);
155 	if (stat != IDMAP_SUCCESS) {
156 		smb_idmap_batch_destroy(&sib);
157 		return (-1);
158 	}
159 
160 	stat = smb_idmap_batch_getmappings(&sib);
161 	smb_idmap_batch_destroy(&sib);
162 	smb_idmap_check("smb_idmap_batch_getmappings", stat);
163 
164 	return (stat == IDMAP_SUCCESS ? 0 : -1);
165 }
166 
167 /*
168  * smb_token_create_pxgrps
169  *
170  * Setup the POSIX group membership of the access token if the given UID is
171  * a POSIX UID (non-ephemeral). Both the user's primary group and
172  * supplementary groups will be added to the POSIX group array of the access
173  * token.
174  */
175 static smb_posix_grps_t *
176 smb_token_create_pxgrps(uid_t uid)
177 {
178 	struct passwd *pwd;
179 	smb_posix_grps_t *pgrps;
180 	int ngroups_max, num;
181 	gid_t *gids;
182 
183 	if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
184 		syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
185 		return (NULL);
186 	}
187 
188 	pwd = getpwuid(uid);
189 	if (pwd == NULL) {
190 		pgrps = malloc(sizeof (smb_posix_grps_t));
191 		if (pgrps == NULL)
192 			return (NULL);
193 
194 		pgrps->pg_ngrps = 0;
195 		return (pgrps);
196 	}
197 
198 	if (pwd->pw_name == NULL) {
199 		pgrps = malloc(sizeof (smb_posix_grps_t));
200 		if (pgrps == NULL)
201 			return (NULL);
202 
203 		pgrps->pg_ngrps = 1;
204 		pgrps->pg_grps[0] = pwd->pw_gid;
205 		return (pgrps);
206 	}
207 
208 	gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
209 	if (gids == NULL) {
210 		return (NULL);
211 	}
212 	bzero(gids, ngroups_max * sizeof (gid_t));
213 
214 	gids[0] = pwd->pw_gid;
215 
216 	/*
217 	 * Setup the groups starting at index 1 (the last arg)
218 	 * of gids array.
219 	 */
220 	num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
221 
222 	if (num == -1) {
223 		syslog(LOG_ERR, "smb_logon: unable "
224 		    "to get user's supplementary groups");
225 		num = 1;
226 	}
227 
228 	pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
229 	if (pgrps) {
230 		pgrps->pg_ngrps = num;
231 		bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
232 	}
233 
234 	free(gids);
235 	return (pgrps);
236 }
237 
238 /*
239  * smb_token_destroy
240  *
241  * Release all of the memory associated with a token structure. Ensure
242  * that the token has been unlinked before calling.
243  */
244 void
245 smb_token_destroy(smb_token_t *token)
246 {
247 	if (token != NULL) {
248 		smb_sid_free(token->tkn_user.i_sid);
249 		smb_sid_free(token->tkn_owner.i_sid);
250 		smb_sid_free(token->tkn_primary_grp.i_sid);
251 		smb_ids_free(&token->tkn_win_grps);
252 		smb_privset_free(token->tkn_privileges);
253 		free(token->tkn_posix_grps);
254 		free(token->tkn_account_name);
255 		free(token->tkn_domain_name);
256 		free(token->tkn_session_key);
257 		bzero(token, sizeof (smb_token_t));
258 		free(token);
259 	}
260 }
261 
262 /*
263  * Token owner should be set to local Administrators group
264  * in two cases:
265  *   1. The logged on user is a member of Domain Admins group
266  *   2. he/she is a member of local Administrators group
267  */
268 static void
269 smb_token_set_owner(smb_token_t *token)
270 {
271 #ifdef SMB_SUPPORT_GROUP_OWNER
272 	smb_sid_t *owner_sid;
273 
274 	if (token->tkn_flags & SMB_ATF_ADMIN) {
275 		owner_sid = smb_wka_get_sid("Administrators");
276 		assert(owner_sid);
277 	} else {
278 		owner_sid = token->tkn_user->i_sid;
279 	}
280 
281 	token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
282 #endif
283 	token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
284 }
285 
286 static smb_privset_t *
287 smb_token_create_privs(smb_token_t *token)
288 {
289 	smb_privset_t *privs;
290 	smb_giter_t gi;
291 	smb_group_t grp;
292 	int rc;
293 
294 	privs = smb_privset_new();
295 	if (privs == NULL)
296 		return (NULL);
297 
298 	if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
299 		smb_privset_free(privs);
300 		return (NULL);
301 	}
302 
303 	while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
304 		if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
305 			smb_privset_merge(privs, grp.sg_privs);
306 		smb_lgrp_free(&grp);
307 	}
308 	smb_lgrp_iterclose(&gi);
309 
310 	if (token->tkn_flags & SMB_ATF_ADMIN) {
311 		char admgrp[] = "Administrators";
312 
313 		rc = smb_lgrp_getbyname(admgrp, &grp);
314 		if (rc == SMB_LGRP_SUCCESS) {
315 			smb_privset_merge(privs, grp.sg_privs);
316 			smb_lgrp_free(&grp);
317 		}
318 
319 		/*
320 		 * This privilege is required to view/edit SACL
321 		 */
322 		smb_privset_enable(privs, SE_SECURITY_LUID);
323 	}
324 
325 	return (privs);
326 }
327 
328 static void
329 smb_token_set_flags(smb_token_t *token)
330 {
331 	if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
332 		token->tkn_flags |= SMB_ATF_ADMIN;
333 
334 	if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
335 		token->tkn_flags |= SMB_ATF_POWERUSER;
336 
337 	if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
338 		token->tkn_flags |= SMB_ATF_BACKUPOP;
339 }
340 
341 /*
342  * Common token setup for both local and domain users.
343  * This function must be called after the initial setup
344  * has been done.
345  *
346  * Note that the order of calls in this function are important.
347  */
348 static boolean_t
349 smb_token_setup_common(smb_token_t *token)
350 {
351 	smb_token_set_flags(token);
352 
353 	smb_token_set_owner(token);
354 	if (token->tkn_owner.i_sid == NULL)
355 		return (B_FALSE);
356 
357 	/* Privileges */
358 	token->tkn_privileges = smb_token_create_privs(token);
359 	if (token->tkn_privileges == NULL)
360 		return (B_FALSE);
361 
362 	if (smb_token_sids2ids(token) != 0) {
363 		syslog(LOG_ERR, "%s\\%s: idmap failed",
364 		    token->tkn_domain_name, token->tkn_account_name);
365 		return (B_FALSE);
366 	}
367 
368 	/* Solaris Groups */
369 	token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
370 
371 	return (smb_token_valid(token));
372 }
373 
374 uint32_t
375 smb_logon_init(void)
376 {
377 	uint32_t status;
378 
379 	(void) rw_wrlock(&smb_logoninit_rwl);
380 	status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
381 	if (status != NT_STATUS_SUCCESS) {
382 		(void) rw_unlock(&smb_logoninit_rwl);
383 		return (status);
384 	}
385 
386 	status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
387 	    &smb_domusers);
388 	if (status != NT_STATUS_SUCCESS) {
389 		smb_account_free(&smb_guest);
390 		bzero(&smb_guest, sizeof (smb_account_t));
391 		(void) rw_unlock(&smb_logoninit_rwl);
392 		return (status);
393 	}
394 
395 	(void) rw_unlock(&smb_logoninit_rwl);
396 	return (status);
397 }
398 
399 void
400 smb_logon_fini(void)
401 {
402 	(void) rw_wrlock(&smb_logoninit_rwl);
403 	smb_account_free(&smb_guest);
404 	smb_account_free(&smb_domusers);
405 	bzero(&smb_guest, sizeof (smb_account_t));
406 	bzero(&smb_domusers, sizeof (smb_account_t));
407 	(void) rw_unlock(&smb_logoninit_rwl);
408 }
409 
410 /*
411  * Perform user authentication.
412  *
413  * The dispatched functions must only update the user_info status if they
414  * attempt to authenticate the user.
415  *
416  * On success, a pointer to a new access token is returned.
417  */
418 smb_token_t *
419 smb_logon(smb_logon_t *user_info)
420 {
421 	static smb_logonop_t	ops[] = {
422 		smb_logon_anon,
423 		smb_logon_local,
424 		smb_logon_domain,
425 		smb_logon_guest
426 	};
427 	smb_token_t		*token = NULL;
428 	smb_domain_t		domain;
429 	int			n_op = (sizeof (ops) / sizeof (ops[0]));
430 	int			i;
431 
432 	user_info->lg_secmode = smb_config_get_secmode();
433 	user_info->lg_status = NT_STATUS_NO_SUCH_USER;
434 
435 	if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
436 		user_info->lg_domain_type = domain.di_type;
437 	else
438 		user_info->lg_domain_type = SMB_DOMAIN_NULL;
439 
440 	if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
441 		syslog(LOG_ERR, "logon[%s\\%s]: %m",
442 		    user_info->lg_e_domain, user_info->lg_e_username);
443 		return (NULL);
444 	}
445 
446 	for (i = 0; i < n_op; ++i) {
447 		(*ops[i])(user_info, token);
448 
449 		if (user_info->lg_status == NT_STATUS_SUCCESS)
450 			break;
451 	}
452 
453 	if (user_info->lg_status == NT_STATUS_SUCCESS) {
454 		if (smb_token_setup_common(token))
455 			return (token);
456 	}
457 
458 	smb_token_destroy(token);
459 	return (NULL);
460 }
461 
462 /*
463  * If the user has an entry in the local database, attempt local authentication.
464  *
465  * In domain mode, we try to exclude domain accounts, which we do by only
466  * accepting local or null (blank) domain names here.  Some clients (Mac OS)
467  * don't always send the domain name.
468  *
469  * If we are not going to attempt authentication, this function must return
470  * without updating the status.
471  */
472 static void
473 smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
474 {
475 	char guest[SMB_USERNAME_MAXLEN];
476 	smb_passwd_t smbpw;
477 	uint32_t status;
478 	boolean_t isguest;
479 
480 	if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
481 		if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
482 		    (user_info->lg_domain_type != SMB_DOMAIN_NULL))
483 			return;
484 	}
485 
486 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
487 	isguest = (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0);
488 
489 	status = smb_token_auth_local(user_info, token, &smbpw);
490 	if (status == NT_STATUS_SUCCESS) {
491 		if (isguest)
492 			status = smb_token_setup_guest(user_info, token);
493 		else
494 			status = smb_token_setup_local(&smbpw, token);
495 	}
496 
497 	user_info->lg_status = status;
498 }
499 
500 /*
501  * Guest authentication.  This may be a local guest account or the guest
502  * account may be mapped to a local account.  These accounts are regular
503  * accounts with normal password protection.
504  *
505  * Only proceed with a guest logon if previous logon options have resulted
506  * in NO_SUCH_USER.
507  *
508  * If we are not going to attempt authentication, this function must return
509  * without updating the status.
510  */
511 static void
512 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
513 {
514 	char guest[SMB_USERNAME_MAXLEN];
515 	smb_passwd_t smbpw;
516 	char *temp;
517 	uint32_t status;
518 
519 	if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
520 		return;
521 
522 	smb_guest_account(guest, SMB_USERNAME_MAXLEN);
523 	temp = user_info->lg_e_username;
524 	user_info->lg_e_username = guest;
525 
526 	status = smb_token_auth_local(user_info, token, &smbpw);
527 	if ((status == NT_STATUS_SUCCESS) ||
528 	    (status == NT_STATUS_NO_SUCH_USER)) {
529 		status = smb_token_setup_guest(user_info, token);
530 	}
531 
532 	user_info->lg_e_username = temp;
533 	user_info->lg_status = status;
534 }
535 
536 /*
537  * If user_info represents an anonymous user then setup the token.
538  * Otherwise return without updating the status.
539  */
540 static void
541 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
542 {
543 	if (user_info->lg_flags & SMB_ATF_ANON)
544 		user_info->lg_status = smb_token_setup_anon(token);
545 }
546 
547 /*
548  * Try both LM hash and NT hashes with user's password(s) to authenticate
549  * the user.
550  */
551 static uint32_t
552 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
553     smb_passwd_t *smbpw)
554 {
555 	boolean_t lm_ok, nt_ok;
556 	uint32_t status = NT_STATUS_SUCCESS;
557 
558 	if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
559 		return (NT_STATUS_NO_SUCH_USER);
560 
561 	if (smbpw->pw_flags & SMB_PWF_DISABLE)
562 		return (NT_STATUS_ACCOUNT_DISABLED);
563 
564 	nt_ok = lm_ok = B_FALSE;
565 	if ((smbpw->pw_flags & SMB_PWF_LM) &&
566 	    (user_info->lg_lm_password.len != 0)) {
567 		lm_ok = smb_auth_validate_lm(
568 		    user_info->lg_challenge_key.val,
569 		    user_info->lg_challenge_key.len,
570 		    smbpw,
571 		    user_info->lg_lm_password.val,
572 		    user_info->lg_lm_password.len,
573 		    user_info->lg_domain,
574 		    user_info->lg_username);
575 		token->tkn_session_key = NULL;
576 	}
577 
578 	if (!lm_ok && (user_info->lg_nt_password.len != 0)) {
579 		token->tkn_session_key = malloc(SMBAUTH_SESSION_KEY_SZ);
580 		if (token->tkn_session_key == NULL)
581 			return (NT_STATUS_NO_MEMORY);
582 		nt_ok = smb_auth_validate_nt(
583 		    user_info->lg_challenge_key.val,
584 		    user_info->lg_challenge_key.len,
585 		    smbpw,
586 		    user_info->lg_nt_password.val,
587 		    user_info->lg_nt_password.len,
588 		    user_info->lg_domain,
589 		    user_info->lg_username,
590 		    (uchar_t *)token->tkn_session_key);
591 	}
592 
593 	if (!nt_ok && !lm_ok) {
594 		status = NT_STATUS_WRONG_PASSWORD;
595 		syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
596 		    user_info->lg_e_domain, user_info->lg_e_username,
597 		    xlate_nt_status(status));
598 	}
599 
600 	return (status);
601 }
602 
603 /*
604  * Setup an access token for the specified local user.
605  */
606 static uint32_t
607 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
608 {
609 	idmap_stat stat;
610 	smb_idmap_batch_t sib;
611 	smb_idmap_t *umap, *gmap;
612 	struct passwd pw;
613 	char pwbuf[1024];
614 	char nbname[NETBIOS_NAME_SZ];
615 
616 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
617 	token->tkn_account_name = strdup(smbpw->pw_name);
618 	token->tkn_domain_name = strdup(nbname);
619 
620 	if (token->tkn_account_name == NULL ||
621 	    token->tkn_domain_name == NULL)
622 		return (NT_STATUS_NO_MEMORY);
623 
624 	if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
625 		return (NT_STATUS_NO_SUCH_USER);
626 
627 	/* Get the SID for user's uid & gid */
628 	stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
629 	if (stat != IDMAP_SUCCESS)
630 		return (NT_STATUS_INTERNAL_ERROR);
631 
632 	umap = &sib.sib_maps[0];
633 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
634 	    SMB_IDMAP_USER);
635 
636 	if (stat != IDMAP_SUCCESS) {
637 		smb_idmap_batch_destroy(&sib);
638 		return (NT_STATUS_INTERNAL_ERROR);
639 	}
640 
641 	gmap = &sib.sib_maps[1];
642 	stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
643 	    SMB_IDMAP_GROUP);
644 
645 	if (stat != IDMAP_SUCCESS) {
646 		smb_idmap_batch_destroy(&sib);
647 		return (NT_STATUS_INTERNAL_ERROR);
648 	}
649 
650 	if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS)
651 		return (NT_STATUS_INTERNAL_ERROR);
652 
653 	token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
654 	token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
655 
656 	smb_idmap_batch_destroy(&sib);
657 
658 	if (token->tkn_user.i_sid == NULL ||
659 	    token->tkn_primary_grp.i_sid == NULL)
660 		return (NT_STATUS_NO_MEMORY);
661 
662 	return (smb_token_setup_wingrps(token));
663 }
664 
665 /*
666  * Setup access token for guest connections
667  */
668 static uint32_t
669 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
670 {
671 	token->tkn_account_name = strdup(user_info->lg_e_username);
672 
673 	(void) rw_rdlock(&smb_logoninit_rwl);
674 	token->tkn_domain_name = strdup(smb_guest.a_domain);
675 	token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
676 	token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
677 	(void) rw_unlock(&smb_logoninit_rwl);
678 	token->tkn_flags = SMB_ATF_GUEST;
679 
680 	if (token->tkn_account_name == NULL ||
681 	    token->tkn_domain_name == NULL ||
682 	    token->tkn_user.i_sid == NULL ||
683 	    token->tkn_primary_grp.i_sid == NULL)
684 		return (NT_STATUS_NO_MEMORY);
685 
686 	return (smb_token_setup_wingrps(token));
687 }
688 
689 /*
690  * Setup access token for anonymous connections
691  */
692 static uint32_t
693 smb_token_setup_anon(smb_token_t *token)
694 {
695 	smb_sid_t *user_sid;
696 
697 	token->tkn_account_name = strdup("Anonymous");
698 	token->tkn_domain_name = strdup("NT Authority");
699 	user_sid = smb_wka_get_sid("Anonymous");
700 	token->tkn_user.i_sid = smb_sid_dup(user_sid);
701 	token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
702 	token->tkn_flags = SMB_ATF_ANON;
703 
704 	if (token->tkn_account_name == NULL ||
705 	    token->tkn_domain_name == NULL ||
706 	    token->tkn_user.i_sid == NULL ||
707 	    token->tkn_primary_grp.i_sid == NULL)
708 		return (NT_STATUS_NO_MEMORY);
709 
710 	return (smb_token_setup_wingrps(token));
711 }
712 
713 /*
714  * smb_token_user_sid
715  *
716  * Return a pointer to the user SID in the specified token. A null
717  * pointer indicates an error.
718  */
719 static smb_sid_t *
720 smb_token_user_sid(smb_token_t *token)
721 {
722 	return ((token) ? token->tkn_user.i_sid : NULL);
723 }
724 
725 /*
726  * smb_token_group_sid
727  *
728  * Return a pointer to the group SID as indicated by the iterator.
729  * Setting the iterator to 0 before calling this function will return
730  * the first group, which will always be the primary group. The
731  * iterator will be incremented before returning the SID so that this
732  * function can be used to cycle through the groups. The caller can
733  * adjust the iterator as required between calls to obtain any specific
734  * group.
735  *
736  * On success a pointer to the appropriate group SID will be returned.
737  * Otherwise a null pointer will be returned.
738  */
739 static smb_sid_t *
740 smb_token_group_sid(smb_token_t *token, int *iterator)
741 {
742 	int index;
743 
744 	if (token == NULL || iterator == NULL)
745 		return (NULL);
746 
747 	if (token->tkn_win_grps.i_ids == NULL)
748 		return (NULL);
749 
750 	index = *iterator;
751 
752 	if (index < 0 || index >= token->tkn_win_grps.i_cnt)
753 		return (NULL);
754 
755 	++(*iterator);
756 	return (token->tkn_win_grps.i_ids[index].i_sid);
757 }
758 
759 /*
760  * smb_token_is_member
761  *
762  * This function will determine whether or not the specified SID is a
763  * member of a token. The user SID and all group SIDs are tested.
764  * Returns 1 if the SID is a member of the token. Otherwise returns 0.
765  */
766 static boolean_t
767 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
768 {
769 	smb_sid_t *tsid;
770 	int iterator = 0;
771 
772 	if (token == NULL || sid == NULL)
773 		return (B_FALSE);
774 
775 	tsid = smb_token_user_sid(token);
776 	while (tsid) {
777 		if (smb_sid_cmp(tsid, sid))
778 			return (B_TRUE);
779 
780 		tsid = smb_token_group_sid(token, &iterator);
781 	}
782 
783 	return (B_FALSE);
784 }
785 
786 /*
787  * smb_token_log
788  *
789  * Diagnostic routine to write the contents of a token to the log.
790  */
791 void
792 smb_token_log(smb_token_t *token)
793 {
794 	smb_ids_t *w_grps;
795 	smb_id_t *grp;
796 	smb_posix_grps_t *x_grps;
797 	char sidstr[SMB_SID_STRSZ];
798 	int i;
799 
800 	if (token == NULL)
801 		return;
802 
803 	syslog(LOG_DEBUG, "Token for %s\\%s",
804 	    (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
805 	    (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
806 
807 	syslog(LOG_DEBUG, "   User->Attr: %d", token->tkn_user.i_attrs);
808 	smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
809 	syslog(LOG_DEBUG, "   User->Sid: %s (id=%u)", sidstr,
810 	    token->tkn_user.i_id);
811 
812 	smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
813 	syslog(LOG_DEBUG, "   Ownr->Sid: %s (id=%u)",
814 	    sidstr, token->tkn_owner.i_id);
815 
816 	smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
817 	syslog(LOG_DEBUG, "   PGrp->Sid: %s (id=%u)",
818 	    sidstr, token->tkn_primary_grp.i_id);
819 
820 	w_grps = &token->tkn_win_grps;
821 	if (w_grps->i_ids) {
822 		syslog(LOG_DEBUG, "   Windows groups: %d", w_grps->i_cnt);
823 		grp = w_grps->i_ids;
824 		for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
825 			syslog(LOG_DEBUG,
826 			    "    Grp[%d].Attr:%d", i, grp->i_attrs);
827 			if (grp->i_sid != NULL) {
828 				smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
829 				syslog(LOG_DEBUG,
830 				    "    Grp[%d].Sid: %s (id=%u)", i, sidstr,
831 				    grp->i_id);
832 			}
833 		}
834 	} else {
835 		syslog(LOG_DEBUG, "   No Windows groups");
836 	}
837 
838 	x_grps = token->tkn_posix_grps;
839 	if (x_grps) {
840 		syslog(LOG_DEBUG, "   Solaris groups: %d", x_grps->pg_ngrps);
841 		for (i = 0; i < x_grps->pg_ngrps; i++)
842 			syslog(LOG_DEBUG, "    %u", x_grps->pg_grps[i]);
843 	} else {
844 		syslog(LOG_DEBUG, "   No Solaris groups");
845 	}
846 
847 	if (token->tkn_privileges)
848 		smb_privset_log(token->tkn_privileges);
849 	else
850 		syslog(LOG_DEBUG, "   No privileges");
851 }
852 
853 /*
854  * Sets up local and well-known group membership for the given
855  * token. Two assumptions have been made here:
856  *
857  *   a) token already contains a valid user SID so that group
858  *      memberships can be established
859  *
860  *   b) token belongs to a local or anonymous user
861  */
862 static uint32_t
863 smb_token_setup_wingrps(smb_token_t *token)
864 {
865 	smb_ids_t tkn_grps;
866 	uint32_t status;
867 
868 
869 	/*
870 	 * We always want the user's primary group in the list
871 	 * of groups.
872 	 */
873 	tkn_grps.i_cnt = 1;
874 	if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
875 		return (NT_STATUS_NO_MEMORY);
876 
877 	tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
878 	tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
879 	if (tkn_grps.i_ids->i_sid == NULL) {
880 		smb_ids_free(&tkn_grps);
881 		return (NT_STATUS_NO_MEMORY);
882 	}
883 
884 	status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
885 	if (status != NT_STATUS_SUCCESS) {
886 		smb_ids_free(&tkn_grps);
887 		return (status);
888 	}
889 
890 	status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
891 	if (status != NT_STATUS_SUCCESS) {
892 		smb_ids_free(&tkn_grps);
893 		return (status);
894 	}
895 
896 	token->tkn_win_grps = tkn_grps;
897 	return (status);
898 }
899 
900 /*
901  * Returns the guest account name in the provided buffer.
902  *
903  * By default the name would be "guest" unless there's
904  * a idmap name-based rule which maps the guest to a local
905  * Solaris user in which case the name of that user is
906  * returned.
907  */
908 static void
909 smb_guest_account(char *guest, size_t buflen)
910 {
911 	idmap_stat stat;
912 	uid_t guest_uid;
913 	struct passwd pw;
914 	char pwbuf[1024];
915 	int idtype;
916 
917 	/* default Guest account name */
918 	(void) rw_rdlock(&smb_logoninit_rwl);
919 	(void) strlcpy(guest, smb_guest.a_name, buflen);
920 
921 	idtype = SMB_IDMAP_USER;
922 	stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
923 	(void) rw_unlock(&smb_logoninit_rwl);
924 
925 	if (stat != IDMAP_SUCCESS)
926 		return;
927 
928 	/* If Ephemeral ID return the default name */
929 	if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
930 		return;
931 
932 	if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
933 		return;
934 
935 	(void) strlcpy(guest, pw.pw_name, buflen);
936 }
937