1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright (c) 2016 by Delphix. All rights reserved.
24 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
25 * Copyright 2023 RackTop Systems, Inc.
26 */
27
28 #include <unistd.h>
29 #include <strings.h>
30 #include <pwd.h>
31 #include <grp.h>
32 #include <time.h>
33 #include <syslog.h>
34 #include <assert.h>
35 #include <synch.h>
36
37 #include <smbsrv/libsmb.h>
38 #include <smbsrv/libmlsvc.h>
39
40 #include <smbsrv/smbinfo.h>
41 #include <smbsrv/smb_token.h>
42 #include <lsalib.h>
43
44 static smb_account_t smb_guest;
45 static smb_account_t smb_domusers;
46 static rwlock_t smb_logoninit_rwl;
47
48 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *);
49
50 static void smb_logon_local(smb_logon_t *, smb_token_t *);
51 static void smb_logon_guest(smb_logon_t *, smb_token_t *);
52 static void smb_logon_anon(smb_logon_t *, smb_token_t *);
53
54 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *,
55 smb_passwd_t *);
56
57 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *);
58 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *);
59 static uint32_t smb_token_setup_anon(smb_token_t *token);
60
61 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *);
62 static uint32_t smb_token_setup_wingrps(smb_token_t *);
63 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t);
64
65 static void smb_guest_account(char *, size_t);
66
67 /* Consolidation private function from Network Repository */
68 extern int _getgroupsbymember(const char *, gid_t[], int, int);
69
70 static idmap_stat
smb_token_idmap(smb_token_t * token,smb_idmap_batch_t * sib)71 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib)
72 {
73 idmap_stat stat;
74 smb_idmap_t *sim;
75 smb_id_t *id;
76 int i;
77
78 if (!token || !sib)
79 return (IDMAP_ERR_ARG);
80
81 sim = sib->sib_maps;
82
83 if (token->tkn_flags & SMB_ATF_ANON) {
84 token->tkn_user.i_id = UID_NOBODY;
85 token->tkn_owner.i_id = UID_NOBODY;
86 } else {
87 /* User SID */
88 id = &token->tkn_user;
89 sim->sim_id = &id->i_id;
90 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
91 id->i_sid, SMB_IDMAP_USER);
92
93 if (stat != IDMAP_SUCCESS)
94 return (stat);
95
96 /* Owner SID */
97 id = &token->tkn_owner;
98 sim->sim_id = &id->i_id;
99 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++,
100 id->i_sid, SMB_IDMAP_USER);
101
102 if (stat != IDMAP_SUCCESS)
103 return (stat);
104 }
105
106 /* Primary Group SID */
107 id = &token->tkn_primary_grp;
108 sim->sim_id = &id->i_id;
109 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid,
110 SMB_IDMAP_GROUP);
111
112 if (stat != IDMAP_SUCCESS)
113 return (stat);
114
115 /* Other Windows Group SIDs */
116 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) {
117 id = &token->tkn_win_grps.i_ids[i];
118 sim->sim_id = &id->i_id;
119 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim,
120 id->i_sid, SMB_IDMAP_GROUP);
121
122 if (stat != IDMAP_SUCCESS)
123 break;
124 }
125
126 return (stat);
127 }
128
129 /*
130 * Custom error callback for smb_token_sids2ids
131 */
132 static void
smb_token_bgm_error(smb_idmap_batch_t * sib,smb_idmap_t * sim)133 smb_token_bgm_error(smb_idmap_batch_t *sib, smb_idmap_t *sim)
134 {
135 syslog(LOG_INFO, "smb_token_sids2ids: Can't get ID for "
136 "SID %s-%u, status=%d",
137 sim->sim_domsid, sim->sim_rid, sim->sim_stat);
138 }
139
140 /*
141 * smb_token_sids2ids
142 *
143 * This will map all the SIDs of the access token to UIDs/GIDs.
144 * However, if there are some SIDs we can't map to UIDs/GIDs,
145 * we don't want to fail the logon, and instead just log the
146 * SIDs we could not map and continue as best we can.
147 * The flag SMB_IDMAP_SKIP_ERRS below does that.
148 *
149 * Returns 0 upon success. Otherwise, returns -1.
150 */
151 static int
smb_token_sids2ids(smb_token_t * token)152 smb_token_sids2ids(smb_token_t *token)
153 {
154 idmap_stat stat;
155 int nmaps;
156 smb_idmap_batch_t sib;
157
158 /*
159 * Number of idmap lookups: user SID, owner SID, primary group SID,
160 * and all Windows group SIDs. Skip user/owner SID for Anonymous.
161 */
162 if (token->tkn_flags & SMB_ATF_ANON)
163 nmaps = token->tkn_win_grps.i_cnt + 1;
164 else
165 nmaps = token->tkn_win_grps.i_cnt + 3;
166
167 stat = smb_idmap_batch_create(&sib, nmaps,
168 SMB_IDMAP_SID2ID | SMB_IDMAP_SKIP_ERRS);
169 if (stat != IDMAP_SUCCESS)
170 return (-1);
171
172 stat = smb_token_idmap(token, &sib);
173 if (stat != IDMAP_SUCCESS) {
174 smb_idmap_batch_destroy(&sib);
175 return (-1);
176 }
177
178 /* Custom error CB here. */
179 stat = smb_idmap_batch_getmappings(&sib, smb_token_bgm_error);
180 if (sib.sib_nerr != 0) {
181 syslog(LOG_DEBUG, "Token for user \"%s\\%s\" has "
182 "%d SIDs that could not be mapped to IDs",
183 (token->tkn_domain_name) ?
184 token->tkn_domain_name : "?",
185 (token->tkn_account_name) ?
186 token->tkn_account_name : "?",
187 sib.sib_nerr);
188 }
189
190 smb_idmap_batch_destroy(&sib);
191
192 return (stat == IDMAP_SUCCESS ? 0 : -1);
193 }
194
195 /*
196 * smb_token_create_pxgrps
197 *
198 * Setup the POSIX group membership of the access token if the given UID is
199 * a POSIX UID (non-ephemeral). Both the user's primary group and
200 * supplementary groups will be added to the POSIX group array of the access
201 * token.
202 */
203 static smb_posix_grps_t *
smb_token_create_pxgrps(uid_t uid)204 smb_token_create_pxgrps(uid_t uid)
205 {
206 struct passwd *pwd;
207 smb_posix_grps_t *pgrps;
208 int ngroups_max, num;
209 gid_t *gids;
210
211 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) {
212 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX");
213 return (NULL);
214 }
215
216 pwd = getpwuid(uid);
217 if (pwd == NULL) {
218 pgrps = malloc(sizeof (smb_posix_grps_t));
219 if (pgrps == NULL)
220 return (NULL);
221
222 pgrps->pg_ngrps = 0;
223 return (pgrps);
224 }
225
226 if (pwd->pw_name == NULL) {
227 pgrps = malloc(sizeof (smb_posix_grps_t));
228 if (pgrps == NULL)
229 return (NULL);
230
231 pgrps->pg_ngrps = 1;
232 pgrps->pg_grps[0] = pwd->pw_gid;
233 return (pgrps);
234 }
235
236 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t));
237 if (gids == NULL) {
238 return (NULL);
239 }
240 bzero(gids, ngroups_max * sizeof (gid_t));
241
242 gids[0] = pwd->pw_gid;
243
244 /*
245 * Setup the groups starting at index 1 (the last arg)
246 * of gids array.
247 */
248 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1);
249
250 if (num == -1) {
251 syslog(LOG_ERR, "smb_logon: unable "
252 "to get user's supplementary groups");
253 num = 1;
254 }
255
256 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num));
257 if (pgrps) {
258 pgrps->pg_ngrps = num;
259 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t));
260 }
261
262 free(gids);
263 return (pgrps);
264 }
265
266 /*
267 * smb_token_destroy
268 *
269 * Release all of the memory associated with a token structure. Ensure
270 * that the token has been unlinked before calling.
271 */
272 void
smb_token_destroy(smb_token_t * token)273 smb_token_destroy(smb_token_t *token)
274 {
275 if (token != NULL) {
276 smb_sid_free(token->tkn_user.i_sid);
277 smb_sid_free(token->tkn_owner.i_sid);
278 smb_sid_free(token->tkn_primary_grp.i_sid);
279 smb_ids_free(&token->tkn_win_grps);
280 smb_privset_free(token->tkn_privileges);
281 free(token->tkn_posix_grps);
282 free(token->tkn_account_name);
283 free(token->tkn_domain_name);
284 free(token->tkn_ssnkey.val);
285 bzero(token, sizeof (smb_token_t));
286 free(token);
287 }
288 }
289
290 /*
291 * Token owner should be set to local Administrators group
292 * in two cases:
293 * 1. The logged on user is a member of Domain Admins group
294 * 2. They are a member of local Administrators group
295 */
296 static void
smb_token_set_owner(smb_token_t * token)297 smb_token_set_owner(smb_token_t *token)
298 {
299 #ifdef SMB_SUPPORT_GROUP_OWNER
300 smb_sid_t *owner_sid;
301
302 if (token->tkn_flags & SMB_ATF_ADMIN) {
303 owner_sid = smb_wka_get_sid("Administrators");
304 assert(owner_sid);
305 } else {
306 owner_sid = token->tkn_user->i_sid;
307 }
308
309 token->tkn_owner.i_sid = smb_sid_dup(owner_sid);
310 #endif
311 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid);
312 }
313
314 static smb_privset_t *
smb_token_create_privs(smb_token_t * token)315 smb_token_create_privs(smb_token_t *token)
316 {
317 smb_privset_t *privs;
318 smb_giter_t gi;
319 smb_group_t grp;
320 int rc;
321
322 privs = smb_privset_new();
323 if (privs == NULL)
324 return (NULL);
325
326 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) {
327 smb_privset_free(privs);
328 return (NULL);
329 }
330
331 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) {
332 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid))
333 smb_privset_merge(privs, grp.sg_privs);
334 smb_lgrp_free(&grp);
335 }
336 smb_lgrp_iterclose(&gi);
337
338 if (token->tkn_flags & SMB_ATF_ADMIN) {
339 char admgrp[] = "Administrators";
340
341 rc = smb_lgrp_getbyname(admgrp, &grp);
342 if (rc == SMB_LGRP_SUCCESS) {
343 smb_privset_merge(privs, grp.sg_privs);
344 smb_lgrp_free(&grp);
345 }
346
347 /*
348 * This privilege is required to view/edit SACL
349 */
350 smb_privset_enable(privs, SE_SECURITY_LUID);
351 }
352
353 /*
354 * Members of "Authenticated Users" (!anon) should normally get
355 * "Bypass traverse checking" privilege, though we allow this
356 * to be disabled (see smb.4). For historical reasons, the
357 * internal privilege name is "SeChangeNotifyPrivilege".
358 */
359 if ((token->tkn_flags & SMB_ATF_ANON) == 0 &&
360 smb_config_getbool(SMB_CI_BYPASS_TRAVERSE_CHECKING))
361 smb_privset_enable(privs, SE_CHANGE_NOTIFY_LUID);
362
363 return (privs);
364 }
365
366 static void
smb_token_set_flags(smb_token_t * token)367 smb_token_set_flags(smb_token_t *token)
368 {
369 if (smb_token_is_member(token, smb_wka_get_sid("Administrators")))
370 token->tkn_flags |= SMB_ATF_ADMIN;
371
372 if (smb_token_is_member(token, smb_wka_get_sid("Power Users")))
373 token->tkn_flags |= SMB_ATF_POWERUSER;
374
375 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators")))
376 token->tkn_flags |= SMB_ATF_BACKUPOP;
377 }
378
379 /*
380 * Common token setup for both local and domain users.
381 * This function must be called after the initial setup
382 * has been done.
383 *
384 * Note that the order of calls in this function are important.
385 *
386 * Returns B_TRUE for success.
387 */
388 boolean_t
smb_token_setup_common(smb_token_t * token)389 smb_token_setup_common(smb_token_t *token)
390 {
391 smb_token_set_flags(token);
392
393 smb_token_set_owner(token);
394 if (token->tkn_owner.i_sid == NULL)
395 return (B_FALSE);
396
397 /* Privileges */
398 token->tkn_privileges = smb_token_create_privs(token);
399 if (token->tkn_privileges == NULL)
400 return (B_FALSE);
401
402 if (smb_token_sids2ids(token) != 0) {
403 syslog(LOG_ERR, "%s\\%s: idmap failed",
404 token->tkn_domain_name, token->tkn_account_name);
405 return (B_FALSE);
406 }
407
408 /* Solaris Groups */
409 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id);
410
411 return (smb_token_valid(token));
412 }
413
414 uint32_t
smb_logon_init(void)415 smb_logon_init(void)
416 {
417 uint32_t status;
418
419 (void) rw_wrlock(&smb_logoninit_rwl);
420 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest);
421 if (status != NT_STATUS_SUCCESS) {
422 (void) rw_unlock(&smb_logoninit_rwl);
423 return (status);
424 }
425
426 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup,
427 &smb_domusers);
428 if (status != NT_STATUS_SUCCESS) {
429 smb_account_free(&smb_guest);
430 bzero(&smb_guest, sizeof (smb_account_t));
431 (void) rw_unlock(&smb_logoninit_rwl);
432 return (status);
433 }
434
435 (void) rw_unlock(&smb_logoninit_rwl);
436 return (status);
437 }
438
439 void
smb_logon_fini(void)440 smb_logon_fini(void)
441 {
442 (void) rw_wrlock(&smb_logoninit_rwl);
443 smb_account_free(&smb_guest);
444 smb_account_free(&smb_domusers);
445 bzero(&smb_guest, sizeof (smb_account_t));
446 bzero(&smb_domusers, sizeof (smb_account_t));
447 (void) rw_unlock(&smb_logoninit_rwl);
448 }
449
450 /*
451 * Perform user authentication.
452 *
453 * The dispatched functions must only update the user_info status if they
454 * attempt to authenticate the user.
455 *
456 * On success, a pointer to a new access token is returned.
457 * On failure, NULL return and status in user_info->lg_status
458 */
459 smb_token_t *
smb_logon(smb_logon_t * user_info)460 smb_logon(smb_logon_t *user_info)
461 {
462 static smb_logonop_t ops[] = {
463 smb_logon_anon,
464 smb_logon_local,
465 smb_logon_domain,
466 smb_logon_guest
467 };
468 smb_token_t *token = NULL;
469 smb_domain_t domain;
470 int n_op = (sizeof (ops) / sizeof (ops[0]));
471 int i;
472
473 user_info->lg_secmode = smb_config_get_secmode();
474
475 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain))
476 user_info->lg_domain_type = domain.di_type;
477 else
478 user_info->lg_domain_type = SMB_DOMAIN_NULL;
479
480 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) {
481 syslog(LOG_ERR, "logon[%s\\%s]: %m",
482 user_info->lg_e_domain, user_info->lg_e_username);
483 return (NULL);
484 }
485
486 /*
487 * If any logonop function takes significant action
488 * (logon or authoratative failure) it will change
489 * this status field to something else.
490 */
491 user_info->lg_status = NT_STATUS_NO_SUCH_USER;
492 for (i = 0; i < n_op; ++i) {
493 (*ops[i])(user_info, token);
494
495 if (user_info->lg_status == NT_STATUS_SUCCESS)
496 break;
497 }
498
499 if (user_info->lg_status == NT_STATUS_SUCCESS) {
500 if (smb_token_setup_common(token))
501 return (token); /* success */
502 /*
503 * (else) smb_token_setup_common failed, which usually
504 * means smb_token_sids2ids() failed to map some SIDs to
505 * Unix IDs. This indicates an idmap config problem.
506 */
507 user_info->lg_status = NT_STATUS_INTERNAL_ERROR;
508 }
509
510 smb_token_destroy(token);
511
512 /*
513 * Any unknown user or bad password should result in
514 * NT_STATUS_LOGON_FAILURE (so we don't give hints).
515 */
516 if (user_info->lg_status == NT_STATUS_NO_SUCH_USER ||
517 user_info->lg_status == NT_STATUS_WRONG_PASSWORD)
518 user_info->lg_status = NT_STATUS_LOGON_FAILURE;
519
520 return (NULL);
521 }
522
523 /*
524 * If the user has an entry in the local database, attempt local authentication.
525 *
526 * In domain mode, we try to exclude domain accounts, which we do by only
527 * accepting local or null (blank) domain names here. Some clients (Mac OS)
528 * don't always send the domain name.
529 *
530 * If we are not going to attempt authentication, this function must return
531 * without updating the status.
532 */
533 static void
smb_logon_local(smb_logon_t * user_info,smb_token_t * token)534 smb_logon_local(smb_logon_t *user_info, smb_token_t *token)
535 {
536 char guest[SMB_USERNAME_MAXLEN];
537 smb_passwd_t smbpw;
538 uint32_t status;
539
540 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) {
541 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) &&
542 (user_info->lg_domain_type != SMB_DOMAIN_NULL))
543 return;
544 }
545
546 /*
547 * If the requested account name is "guest" (or whatever
548 * our guest account is named) then don't handle it here.
549 * Let this request fall through to smb_logon_guest().
550 */
551 smb_guest_account(guest, SMB_USERNAME_MAXLEN);
552 if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0)
553 return;
554
555 status = smb_token_auth_local(user_info, token, &smbpw);
556 if (status == NT_STATUS_SUCCESS)
557 status = smb_token_setup_local(&smbpw, token);
558
559 user_info->lg_status = status;
560 }
561
562 /*
563 * Guest authentication. This may be a local guest account or the guest
564 * account may be mapped to a local account. These accounts are regular
565 * accounts with normal password protection.
566 *
567 * Only proceed with a guest logon if previous logon options have resulted
568 * in NO_SUCH_USER.
569 *
570 * If we are not going to attempt authentication, this function must return
571 * without updating the status.
572 */
573 static void
smb_logon_guest(smb_logon_t * user_info,smb_token_t * token)574 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token)
575 {
576 char guest[SMB_USERNAME_MAXLEN];
577 smb_passwd_t smbpw;
578 char *temp;
579
580 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER)
581 return;
582
583 /* Get the name of the guest account. */
584 smb_guest_account(guest, SMB_USERNAME_MAXLEN);
585
586 /* Does the guest account exist? */
587 if (smb_pwd_getpwnam(guest, &smbpw) == NULL)
588 return;
589
590 /* Is it enabled? (empty p/w is OK) */
591 if (smbpw.pw_flags & SMB_PWF_DISABLE)
592 return;
593
594 /*
595 * OK, give the client a guest logon. Note that on entry,
596 * lg_e_username is typically something other than "guest"
597 * so we need to set the effective username when createing
598 * the guest token.
599 */
600 temp = user_info->lg_e_username;
601 user_info->lg_e_username = guest;
602 user_info->lg_status = smb_token_setup_guest(user_info, token);
603 user_info->lg_e_username = temp;
604 }
605
606 /*
607 * If user_info represents an anonymous user then setup the token.
608 * Otherwise return without updating the status.
609 */
610 static void
smb_logon_anon(smb_logon_t * user_info,smb_token_t * token)611 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token)
612 {
613 if (user_info->lg_flags & SMB_ATF_ANON)
614 user_info->lg_status = smb_token_setup_anon(token);
615 }
616
617 /*
618 * Try both LM hash and NT hashes with user's password(s) to authenticate
619 * the user.
620 */
621 static uint32_t
smb_token_auth_local(smb_logon_t * user_info,smb_token_t * token,smb_passwd_t * smbpw)622 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token,
623 smb_passwd_t *smbpw)
624 {
625 boolean_t ok;
626 uint32_t status = NT_STATUS_SUCCESS;
627
628 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL)
629 return (NT_STATUS_NO_SUCH_USER);
630
631 if (smbpw->pw_flags & SMB_PWF_DISABLE)
632 return (NT_STATUS_ACCOUNT_DISABLED);
633
634 if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) {
635 /*
636 * The SMB passwords have not been set.
637 * Return an error that suggests the
638 * password needs to be set.
639 */
640 return (NT_STATUS_PASSWORD_EXPIRED);
641 }
642
643 token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ);
644 if (token->tkn_ssnkey.val == NULL)
645 return (NT_STATUS_NO_MEMORY);
646 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
647
648 ok = smb_auth_validate(
649 smbpw,
650 user_info->lg_domain,
651 user_info->lg_username,
652 user_info->lg_challenge_key.val,
653 user_info->lg_challenge_key.len,
654 user_info->lg_nt_password.val,
655 user_info->lg_nt_password.len,
656 user_info->lg_lm_password.val,
657 user_info->lg_lm_password.len,
658 token->tkn_ssnkey.val);
659 if (ok)
660 return (NT_STATUS_SUCCESS);
661
662 free(token->tkn_ssnkey.val);
663 token->tkn_ssnkey.val = NULL;
664 token->tkn_ssnkey.len = 0;
665
666 status = NT_STATUS_WRONG_PASSWORD;
667 syslog(LOG_NOTICE, "logon[%s\\%s]: %s",
668 user_info->lg_e_domain, user_info->lg_e_username,
669 xlate_nt_status(status));
670
671 return (status);
672 }
673
674 /*
675 * Setup an access token for the specified local user.
676 */
677 static uint32_t
smb_token_setup_local(smb_passwd_t * smbpw,smb_token_t * token)678 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token)
679 {
680 idmap_stat stat;
681 smb_idmap_batch_t sib;
682 smb_idmap_t *umap, *gmap;
683 struct passwd pw;
684 char pwbuf[1024];
685 char nbname[NETBIOS_NAME_SZ];
686
687 (void) smb_getnetbiosname(nbname, sizeof (nbname));
688 token->tkn_account_name = strdup(smbpw->pw_name);
689 token->tkn_domain_name = strdup(nbname);
690
691 if (token->tkn_account_name == NULL ||
692 token->tkn_domain_name == NULL)
693 return (NT_STATUS_NO_MEMORY);
694
695 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
696 return (NT_STATUS_NO_SUCH_USER);
697
698 /* Get the SID for user's uid & gid */
699 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID);
700 if (stat != IDMAP_SUCCESS)
701 return (NT_STATUS_INTERNAL_ERROR);
702
703 umap = &sib.sib_maps[0];
704 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid,
705 SMB_IDMAP_USER);
706
707 if (stat != IDMAP_SUCCESS) {
708 smb_idmap_batch_destroy(&sib);
709 return (NT_STATUS_INTERNAL_ERROR);
710 }
711
712 gmap = &sib.sib_maps[1];
713 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid,
714 SMB_IDMAP_GROUP);
715
716 if (stat != IDMAP_SUCCESS) {
717 smb_idmap_batch_destroy(&sib);
718 return (NT_STATUS_INTERNAL_ERROR);
719 }
720
721 /* No error CB. Report errors below. */
722 stat = smb_idmap_batch_getmappings(&sib, NULL);
723
724 if (stat != IDMAP_SUCCESS) {
725 syslog(LOG_NOTICE, "logon[%s\\%s]: Can't get SID for "
726 "primary GID or UID",
727 nbname, smbpw->pw_name);
728 smb_idmap_batch_destroy(&sib);
729 return (NT_STATUS_INTERNAL_ERROR);
730 }
731
732 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid);
733 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid);
734
735 smb_idmap_batch_destroy(&sib);
736
737 if (token->tkn_user.i_sid == NULL ||
738 token->tkn_primary_grp.i_sid == NULL)
739 return (NT_STATUS_NO_MEMORY);
740
741 return (smb_token_setup_wingrps(token));
742 }
743
744 /*
745 * Setup access token for guest connections
746 */
747 static uint32_t
smb_token_setup_guest(smb_logon_t * user_info,smb_token_t * token)748 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token)
749 {
750 token->tkn_account_name = strdup(user_info->lg_e_username);
751
752 (void) rw_rdlock(&smb_logoninit_rwl);
753 token->tkn_domain_name = strdup(smb_guest.a_domain);
754 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid);
755 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid);
756 (void) rw_unlock(&smb_logoninit_rwl);
757 token->tkn_flags = SMB_ATF_GUEST;
758
759 /*
760 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the
761 * Client":
762 * The 'SessionBaseKey' for Guests is 16-bytes of 0s.
763 */
764 token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ);
765
766 if (token->tkn_account_name == NULL ||
767 token->tkn_domain_name == NULL ||
768 token->tkn_user.i_sid == NULL ||
769 token->tkn_primary_grp.i_sid == NULL ||
770 token->tkn_ssnkey.val == NULL)
771 return (NT_STATUS_NO_MEMORY);
772
773 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
774 return (smb_token_setup_wingrps(token));
775 }
776
777 /*
778 * Setup access token for anonymous connections
779 */
780 static uint32_t
smb_token_setup_anon(smb_token_t * token)781 smb_token_setup_anon(smb_token_t *token)
782 {
783 smb_sid_t *user_sid;
784
785 token->tkn_account_name = strdup("Anonymous");
786 token->tkn_domain_name = strdup("NT Authority");
787 user_sid = smb_wka_get_sid("Anonymous");
788 token->tkn_user.i_sid = smb_sid_dup(user_sid);
789 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid);
790 token->tkn_flags = SMB_ATF_ANON;
791
792 /*
793 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the
794 * Client":
795 * The 'SessionBaseKey' for Anonymous users is 16-bytes of 0s.
796 */
797 token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ);
798
799 if (token->tkn_account_name == NULL ||
800 token->tkn_domain_name == NULL ||
801 token->tkn_user.i_sid == NULL ||
802 token->tkn_primary_grp.i_sid == NULL ||
803 token->tkn_ssnkey.val == NULL)
804 return (NT_STATUS_NO_MEMORY);
805
806 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ;
807 return (smb_token_setup_wingrps(token));
808 }
809
810 /*
811 * smb_token_user_sid
812 *
813 * Return a pointer to the user SID in the specified token. A null
814 * pointer indicates an error.
815 */
816 static smb_sid_t *
smb_token_user_sid(smb_token_t * token)817 smb_token_user_sid(smb_token_t *token)
818 {
819 return ((token) ? token->tkn_user.i_sid : NULL);
820 }
821
822 /*
823 * smb_token_group_sid
824 *
825 * Return a pointer to the group SID as indicated by the iterator.
826 * Setting the iterator to 0 before calling this function will return
827 * the first group, which will always be the primary group. The
828 * iterator will be incremented before returning the SID so that this
829 * function can be used to cycle through the groups. The caller can
830 * adjust the iterator as required between calls to obtain any specific
831 * group.
832 *
833 * On success a pointer to the appropriate group SID will be returned.
834 * Otherwise a null pointer will be returned.
835 */
836 static smb_sid_t *
smb_token_group_sid(smb_token_t * token,int * iterator)837 smb_token_group_sid(smb_token_t *token, int *iterator)
838 {
839 int index;
840
841 if (token == NULL || iterator == NULL)
842 return (NULL);
843
844 if (token->tkn_win_grps.i_ids == NULL)
845 return (NULL);
846
847 index = *iterator;
848
849 if (index < 0 || index >= token->tkn_win_grps.i_cnt)
850 return (NULL);
851
852 ++(*iterator);
853 return (token->tkn_win_grps.i_ids[index].i_sid);
854 }
855
856 /*
857 * smb_token_is_member
858 *
859 * This function will determine whether or not the specified SID is a
860 * member of a token. The user SID and all group SIDs are tested.
861 * Returns 1 if the SID is a member of the token. Otherwise returns 0.
862 */
863 static boolean_t
smb_token_is_member(smb_token_t * token,smb_sid_t * sid)864 smb_token_is_member(smb_token_t *token, smb_sid_t *sid)
865 {
866 smb_sid_t *tsid;
867 int iterator = 0;
868
869 if (token == NULL || sid == NULL)
870 return (B_FALSE);
871
872 tsid = smb_token_user_sid(token);
873 while (tsid) {
874 if (smb_sid_cmp(tsid, sid))
875 return (B_TRUE);
876
877 tsid = smb_token_group_sid(token, &iterator);
878 }
879
880 return (B_FALSE);
881 }
882
883 /*
884 * smb_token_log
885 *
886 * Diagnostic routine to write the contents of a token to the log.
887 */
888 void
smb_token_log(smb_token_t * token)889 smb_token_log(smb_token_t *token)
890 {
891 smb_ids_t *w_grps;
892 smb_id_t *grp;
893 smb_posix_grps_t *x_grps;
894 char sidstr[SMB_SID_STRSZ];
895 int i;
896
897 if (token == NULL)
898 return;
899
900 syslog(LOG_DEBUG, "Token for %s\\%s",
901 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-",
902 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-");
903
904 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs);
905 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr);
906 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr,
907 token->tkn_user.i_id);
908
909 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr);
910 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)",
911 sidstr, token->tkn_owner.i_id);
912
913 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr);
914 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)",
915 sidstr, token->tkn_primary_grp.i_id);
916
917 w_grps = &token->tkn_win_grps;
918 if (w_grps->i_ids) {
919 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt);
920 grp = w_grps->i_ids;
921 for (i = 0; i < w_grps->i_cnt; ++i, grp++) {
922 syslog(LOG_DEBUG,
923 " Grp[%d].Attr:%d", i, grp->i_attrs);
924 if (grp->i_sid != NULL) {
925 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr);
926 syslog(LOG_DEBUG,
927 " Grp[%d].Sid: %s (id=%u)", i, sidstr,
928 grp->i_id);
929 }
930 }
931 } else {
932 syslog(LOG_DEBUG, " No Windows groups");
933 }
934
935 x_grps = token->tkn_posix_grps;
936 if (x_grps) {
937 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps);
938 for (i = 0; i < x_grps->pg_ngrps; i++)
939 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]);
940 } else {
941 syslog(LOG_DEBUG, " No Solaris groups");
942 }
943
944 if (token->tkn_privileges)
945 smb_privset_log(token->tkn_privileges);
946 else
947 syslog(LOG_DEBUG, " No privileges");
948 }
949
950 /*
951 * Sets up local and well-known group membership for the given
952 * token. Two assumptions have been made here:
953 *
954 * a) token already contains a valid user SID so that group
955 * memberships can be established
956 *
957 * b) token belongs to a local or anonymous user
958 */
959 static uint32_t
smb_token_setup_wingrps(smb_token_t * token)960 smb_token_setup_wingrps(smb_token_t *token)
961 {
962 smb_ids_t tkn_grps;
963 uint32_t status;
964
965
966 /*
967 * We always want the user's primary group in the list
968 * of groups.
969 */
970 tkn_grps.i_cnt = 1;
971 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL)
972 return (NT_STATUS_NO_MEMORY);
973
974 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid);
975 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs;
976 if (tkn_grps.i_ids->i_sid == NULL) {
977 smb_ids_free(&tkn_grps);
978 return (NT_STATUS_NO_MEMORY);
979 }
980
981 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps);
982 if (status != NT_STATUS_SUCCESS) {
983 smb_ids_free(&tkn_grps);
984 return (status);
985 }
986
987 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps);
988 if (status != NT_STATUS_SUCCESS) {
989 smb_ids_free(&tkn_grps);
990 return (status);
991 }
992
993 token->tkn_win_grps = tkn_grps;
994 return (status);
995 }
996
997 /*
998 * Returns the guest account name in the provided buffer.
999 *
1000 * By default the name would be "guest" unless there's
1001 * a idmap name-based rule which maps the guest to a local
1002 * Solaris user in which case the name of that user is
1003 * returned.
1004 */
1005 static void
smb_guest_account(char * guest,size_t buflen)1006 smb_guest_account(char *guest, size_t buflen)
1007 {
1008 idmap_stat stat;
1009 uid_t guest_uid;
1010 struct passwd pw;
1011 char pwbuf[1024];
1012 int idtype;
1013
1014 /* default Guest account name */
1015 (void) rw_rdlock(&smb_logoninit_rwl);
1016 (void) strlcpy(guest, smb_guest.a_name, buflen);
1017
1018 idtype = SMB_IDMAP_USER;
1019 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype);
1020 (void) rw_unlock(&smb_logoninit_rwl);
1021
1022 if (stat != IDMAP_SUCCESS)
1023 return;
1024
1025 /* If Ephemeral ID return the default name */
1026 if (IDMAP_ID_IS_EPHEMERAL(guest_uid))
1027 return;
1028
1029 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL)
1030 return;
1031
1032 (void) strlcpy(guest, pw.pw_name, buflen);
1033 }
1034