1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright (c) 2016 by Delphix. All rights reserved. 24 * Copyright 2018 Nexenta Systems, Inc. All rights reserved. 25 */ 26 27 #include <unistd.h> 28 #include <strings.h> 29 #include <pwd.h> 30 #include <grp.h> 31 #include <time.h> 32 #include <syslog.h> 33 #include <assert.h> 34 #include <synch.h> 35 36 #include <smbsrv/libsmb.h> 37 #include <smbsrv/libmlsvc.h> 38 39 #include <smbsrv/smbinfo.h> 40 #include <smbsrv/smb_token.h> 41 #include <lsalib.h> 42 43 static smb_account_t smb_guest; 44 static smb_account_t smb_domusers; 45 static rwlock_t smb_logoninit_rwl; 46 47 typedef void (*smb_logonop_t)(smb_logon_t *, smb_token_t *); 48 49 static void smb_logon_local(smb_logon_t *, smb_token_t *); 50 static void smb_logon_guest(smb_logon_t *, smb_token_t *); 51 static void smb_logon_anon(smb_logon_t *, smb_token_t *); 52 53 static uint32_t smb_token_auth_local(smb_logon_t *, smb_token_t *, 54 smb_passwd_t *); 55 56 static uint32_t smb_token_setup_local(smb_passwd_t *, smb_token_t *); 57 static uint32_t smb_token_setup_guest(smb_logon_t *, smb_token_t *); 58 static uint32_t smb_token_setup_anon(smb_token_t *token); 59 60 static boolean_t smb_token_is_member(smb_token_t *, smb_sid_t *); 61 static uint32_t smb_token_setup_wingrps(smb_token_t *); 62 static smb_posix_grps_t *smb_token_create_pxgrps(uid_t); 63 64 static void smb_guest_account(char *, size_t); 65 66 /* Consolidation private function from Network Repository */ 67 extern int _getgroupsbymember(const char *, gid_t[], int, int); 68 69 static idmap_stat 70 smb_token_idmap(smb_token_t *token, smb_idmap_batch_t *sib) 71 { 72 idmap_stat stat; 73 smb_idmap_t *sim; 74 smb_id_t *id; 75 int i; 76 77 if (!token || !sib) 78 return (IDMAP_ERR_ARG); 79 80 sim = sib->sib_maps; 81 82 if (token->tkn_flags & SMB_ATF_ANON) { 83 token->tkn_user.i_id = UID_NOBODY; 84 token->tkn_owner.i_id = UID_NOBODY; 85 } else { 86 /* User SID */ 87 id = &token->tkn_user; 88 sim->sim_id = &id->i_id; 89 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 90 id->i_sid, SMB_IDMAP_USER); 91 92 if (stat != IDMAP_SUCCESS) 93 return (stat); 94 95 /* Owner SID */ 96 id = &token->tkn_owner; 97 sim->sim_id = &id->i_id; 98 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, 99 id->i_sid, SMB_IDMAP_USER); 100 101 if (stat != IDMAP_SUCCESS) 102 return (stat); 103 } 104 105 /* Primary Group SID */ 106 id = &token->tkn_primary_grp; 107 sim->sim_id = &id->i_id; 108 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim++, id->i_sid, 109 SMB_IDMAP_GROUP); 110 111 if (stat != IDMAP_SUCCESS) 112 return (stat); 113 114 /* Other Windows Group SIDs */ 115 for (i = 0; i < token->tkn_win_grps.i_cnt; i++, sim++) { 116 id = &token->tkn_win_grps.i_ids[i]; 117 sim->sim_id = &id->i_id; 118 stat = smb_idmap_batch_getid(sib->sib_idmaph, sim, 119 id->i_sid, SMB_IDMAP_GROUP); 120 121 if (stat != IDMAP_SUCCESS) 122 break; 123 } 124 125 return (stat); 126 } 127 128 /* 129 * smb_token_sids2ids 130 * 131 * This will map all the SIDs of the access token to UIDs/GIDs. 132 * However, if there are some SIDs we can't map to UIDs/GIDs, 133 * we don't want to fail the logon, and instead just log the 134 * SIDs we could not map and continue as best we can. 135 * The flag SMB_IDMAP_SKIP_ERRS below does that. 136 * 137 * Returns 0 upon success. Otherwise, returns -1. 138 */ 139 static int 140 smb_token_sids2ids(smb_token_t *token) 141 { 142 idmap_stat stat; 143 int nmaps; 144 smb_idmap_batch_t sib; 145 146 /* 147 * Number of idmap lookups: user SID, owner SID, primary group SID, 148 * and all Windows group SIDs. Skip user/owner SID for Anonymous. 149 */ 150 if (token->tkn_flags & SMB_ATF_ANON) 151 nmaps = token->tkn_win_grps.i_cnt + 1; 152 else 153 nmaps = token->tkn_win_grps.i_cnt + 3; 154 155 stat = smb_idmap_batch_create(&sib, nmaps, 156 SMB_IDMAP_SID2ID | SMB_IDMAP_SKIP_ERRS); 157 if (stat != IDMAP_SUCCESS) 158 return (-1); 159 160 stat = smb_token_idmap(token, &sib); 161 if (stat != IDMAP_SUCCESS) { 162 smb_idmap_batch_destroy(&sib); 163 return (-1); 164 } 165 166 stat = smb_idmap_batch_getmappings(&sib); 167 smb_idmap_check("smb_idmap_batch_getmappings", stat); 168 smb_idmap_batch_destroy(&sib); 169 170 return (stat == IDMAP_SUCCESS ? 0 : -1); 171 } 172 173 /* 174 * smb_token_create_pxgrps 175 * 176 * Setup the POSIX group membership of the access token if the given UID is 177 * a POSIX UID (non-ephemeral). Both the user's primary group and 178 * supplementary groups will be added to the POSIX group array of the access 179 * token. 180 */ 181 static smb_posix_grps_t * 182 smb_token_create_pxgrps(uid_t uid) 183 { 184 struct passwd *pwd; 185 smb_posix_grps_t *pgrps; 186 int ngroups_max, num; 187 gid_t *gids; 188 189 if ((ngroups_max = sysconf(_SC_NGROUPS_MAX)) < 0) { 190 syslog(LOG_ERR, "smb_logon: failed to get _SC_NGROUPS_MAX"); 191 return (NULL); 192 } 193 194 pwd = getpwuid(uid); 195 if (pwd == NULL) { 196 pgrps = malloc(sizeof (smb_posix_grps_t)); 197 if (pgrps == NULL) 198 return (NULL); 199 200 pgrps->pg_ngrps = 0; 201 return (pgrps); 202 } 203 204 if (pwd->pw_name == NULL) { 205 pgrps = malloc(sizeof (smb_posix_grps_t)); 206 if (pgrps == NULL) 207 return (NULL); 208 209 pgrps->pg_ngrps = 1; 210 pgrps->pg_grps[0] = pwd->pw_gid; 211 return (pgrps); 212 } 213 214 gids = (gid_t *)malloc(ngroups_max * sizeof (gid_t)); 215 if (gids == NULL) { 216 return (NULL); 217 } 218 bzero(gids, ngroups_max * sizeof (gid_t)); 219 220 gids[0] = pwd->pw_gid; 221 222 /* 223 * Setup the groups starting at index 1 (the last arg) 224 * of gids array. 225 */ 226 num = _getgroupsbymember(pwd->pw_name, gids, ngroups_max, 1); 227 228 if (num == -1) { 229 syslog(LOG_ERR, "smb_logon: unable " 230 "to get user's supplementary groups"); 231 num = 1; 232 } 233 234 pgrps = (smb_posix_grps_t *)malloc(SMB_POSIX_GRPS_SIZE(num)); 235 if (pgrps) { 236 pgrps->pg_ngrps = num; 237 bcopy(gids, pgrps->pg_grps, num * sizeof (gid_t)); 238 } 239 240 free(gids); 241 return (pgrps); 242 } 243 244 /* 245 * smb_token_destroy 246 * 247 * Release all of the memory associated with a token structure. Ensure 248 * that the token has been unlinked before calling. 249 */ 250 void 251 smb_token_destroy(smb_token_t *token) 252 { 253 if (token != NULL) { 254 smb_sid_free(token->tkn_user.i_sid); 255 smb_sid_free(token->tkn_owner.i_sid); 256 smb_sid_free(token->tkn_primary_grp.i_sid); 257 smb_ids_free(&token->tkn_win_grps); 258 smb_privset_free(token->tkn_privileges); 259 free(token->tkn_posix_grps); 260 free(token->tkn_account_name); 261 free(token->tkn_domain_name); 262 free(token->tkn_ssnkey.val); 263 bzero(token, sizeof (smb_token_t)); 264 free(token); 265 } 266 } 267 268 /* 269 * Token owner should be set to local Administrators group 270 * in two cases: 271 * 1. The logged on user is a member of Domain Admins group 272 * 2. They are a member of local Administrators group 273 */ 274 static void 275 smb_token_set_owner(smb_token_t *token) 276 { 277 #ifdef SMB_SUPPORT_GROUP_OWNER 278 smb_sid_t *owner_sid; 279 280 if (token->tkn_flags & SMB_ATF_ADMIN) { 281 owner_sid = smb_wka_get_sid("Administrators"); 282 assert(owner_sid); 283 } else { 284 owner_sid = token->tkn_user->i_sid; 285 } 286 287 token->tkn_owner.i_sid = smb_sid_dup(owner_sid); 288 #endif 289 token->tkn_owner.i_sid = smb_sid_dup(token->tkn_user.i_sid); 290 } 291 292 static smb_privset_t * 293 smb_token_create_privs(smb_token_t *token) 294 { 295 smb_privset_t *privs; 296 smb_giter_t gi; 297 smb_group_t grp; 298 int rc; 299 300 privs = smb_privset_new(); 301 if (privs == NULL) 302 return (NULL); 303 304 if (smb_lgrp_iteropen(&gi) != SMB_LGRP_SUCCESS) { 305 smb_privset_free(privs); 306 return (NULL); 307 } 308 309 while (smb_lgrp_iterate(&gi, &grp) == SMB_LGRP_SUCCESS) { 310 if (smb_lgrp_is_member(&grp, token->tkn_user.i_sid)) 311 smb_privset_merge(privs, grp.sg_privs); 312 smb_lgrp_free(&grp); 313 } 314 smb_lgrp_iterclose(&gi); 315 316 if (token->tkn_flags & SMB_ATF_ADMIN) { 317 char admgrp[] = "Administrators"; 318 319 rc = smb_lgrp_getbyname(admgrp, &grp); 320 if (rc == SMB_LGRP_SUCCESS) { 321 smb_privset_merge(privs, grp.sg_privs); 322 smb_lgrp_free(&grp); 323 } 324 325 /* 326 * This privilege is required to view/edit SACL 327 */ 328 smb_privset_enable(privs, SE_SECURITY_LUID); 329 } 330 331 /* 332 * Members of "Authenticated Users" (!anon) should normally get 333 * "Bypass traverse checking" privilege, though we allow this 334 * to be disabled (see smb.4). For historical reasons, the 335 * internal privilege name is "SeChangeNotifyPrivilege". 336 */ 337 if ((token->tkn_flags & SMB_ATF_ANON) == 0 && 338 smb_config_getbool(SMB_CI_BYPASS_TRAVERSE_CHECKING)) 339 smb_privset_enable(privs, SE_CHANGE_NOTIFY_LUID); 340 341 return (privs); 342 } 343 344 static void 345 smb_token_set_flags(smb_token_t *token) 346 { 347 if (smb_token_is_member(token, smb_wka_get_sid("Administrators"))) 348 token->tkn_flags |= SMB_ATF_ADMIN; 349 350 if (smb_token_is_member(token, smb_wka_get_sid("Power Users"))) 351 token->tkn_flags |= SMB_ATF_POWERUSER; 352 353 if (smb_token_is_member(token, smb_wka_get_sid("Backup Operators"))) 354 token->tkn_flags |= SMB_ATF_BACKUPOP; 355 } 356 357 /* 358 * Common token setup for both local and domain users. 359 * This function must be called after the initial setup 360 * has been done. 361 * 362 * Note that the order of calls in this function are important. 363 * 364 * Returns B_TRUE for success. 365 */ 366 boolean_t 367 smb_token_setup_common(smb_token_t *token) 368 { 369 smb_token_set_flags(token); 370 371 smb_token_set_owner(token); 372 if (token->tkn_owner.i_sid == NULL) 373 return (B_FALSE); 374 375 /* Privileges */ 376 token->tkn_privileges = smb_token_create_privs(token); 377 if (token->tkn_privileges == NULL) 378 return (B_FALSE); 379 380 if (smb_token_sids2ids(token) != 0) { 381 syslog(LOG_ERR, "%s\\%s: idmap failed", 382 token->tkn_domain_name, token->tkn_account_name); 383 return (B_FALSE); 384 } 385 386 /* Solaris Groups */ 387 token->tkn_posix_grps = smb_token_create_pxgrps(token->tkn_user.i_id); 388 389 return (smb_token_valid(token)); 390 } 391 392 uint32_t 393 smb_logon_init(void) 394 { 395 uint32_t status; 396 397 (void) rw_wrlock(&smb_logoninit_rwl); 398 status = smb_sam_lookup_name(NULL, "guest", SidTypeUser, &smb_guest); 399 if (status != NT_STATUS_SUCCESS) { 400 (void) rw_unlock(&smb_logoninit_rwl); 401 return (status); 402 } 403 404 status = smb_sam_lookup_name(NULL, "domain users", SidTypeGroup, 405 &smb_domusers); 406 if (status != NT_STATUS_SUCCESS) { 407 smb_account_free(&smb_guest); 408 bzero(&smb_guest, sizeof (smb_account_t)); 409 (void) rw_unlock(&smb_logoninit_rwl); 410 return (status); 411 } 412 413 (void) rw_unlock(&smb_logoninit_rwl); 414 return (status); 415 } 416 417 void 418 smb_logon_fini(void) 419 { 420 (void) rw_wrlock(&smb_logoninit_rwl); 421 smb_account_free(&smb_guest); 422 smb_account_free(&smb_domusers); 423 bzero(&smb_guest, sizeof (smb_account_t)); 424 bzero(&smb_domusers, sizeof (smb_account_t)); 425 (void) rw_unlock(&smb_logoninit_rwl); 426 } 427 428 /* 429 * Perform user authentication. 430 * 431 * The dispatched functions must only update the user_info status if they 432 * attempt to authenticate the user. 433 * 434 * On success, a pointer to a new access token is returned. 435 * On failure, NULL return and status in user_info->lg_status 436 */ 437 smb_token_t * 438 smb_logon(smb_logon_t *user_info) 439 { 440 static smb_logonop_t ops[] = { 441 smb_logon_anon, 442 smb_logon_local, 443 smb_logon_domain, 444 smb_logon_guest 445 }; 446 smb_token_t *token = NULL; 447 smb_domain_t domain; 448 int n_op = (sizeof (ops) / sizeof (ops[0])); 449 int i; 450 451 user_info->lg_secmode = smb_config_get_secmode(); 452 453 if (smb_domain_lookup_name(user_info->lg_e_domain, &domain)) 454 user_info->lg_domain_type = domain.di_type; 455 else 456 user_info->lg_domain_type = SMB_DOMAIN_NULL; 457 458 if ((token = calloc(1, sizeof (smb_token_t))) == NULL) { 459 syslog(LOG_ERR, "logon[%s\\%s]: %m", 460 user_info->lg_e_domain, user_info->lg_e_username); 461 return (NULL); 462 } 463 464 /* 465 * If any logonop function takes significant action 466 * (logon or authoratative failure) it will change 467 * this status field to something else. 468 */ 469 user_info->lg_status = NT_STATUS_NO_SUCH_USER; 470 for (i = 0; i < n_op; ++i) { 471 (*ops[i])(user_info, token); 472 473 if (user_info->lg_status == NT_STATUS_SUCCESS) 474 break; 475 } 476 477 if (user_info->lg_status == NT_STATUS_SUCCESS) { 478 if (smb_token_setup_common(token)) 479 return (token); /* success */ 480 /* 481 * (else) smb_token_setup_common failed, which usually 482 * means smb_token_sids2ids() failed to map some SIDs to 483 * Unix IDs. This indicates an idmap config problem. 484 */ 485 user_info->lg_status = NT_STATUS_INTERNAL_ERROR; 486 } 487 488 smb_token_destroy(token); 489 490 /* 491 * Any unknown user or bad password should result in 492 * NT_STATUS_LOGON_FAILURE (so we don't give hints). 493 */ 494 if (user_info->lg_status == NT_STATUS_NO_SUCH_USER || 495 user_info->lg_status == NT_STATUS_WRONG_PASSWORD) 496 user_info->lg_status = NT_STATUS_LOGON_FAILURE; 497 498 return (NULL); 499 } 500 501 /* 502 * If the user has an entry in the local database, attempt local authentication. 503 * 504 * In domain mode, we try to exclude domain accounts, which we do by only 505 * accepting local or null (blank) domain names here. Some clients (Mac OS) 506 * don't always send the domain name. 507 * 508 * If we are not going to attempt authentication, this function must return 509 * without updating the status. 510 */ 511 static void 512 smb_logon_local(smb_logon_t *user_info, smb_token_t *token) 513 { 514 char guest[SMB_USERNAME_MAXLEN]; 515 smb_passwd_t smbpw; 516 uint32_t status; 517 518 if (user_info->lg_secmode == SMB_SECMODE_DOMAIN) { 519 if ((user_info->lg_domain_type != SMB_DOMAIN_LOCAL) && 520 (user_info->lg_domain_type != SMB_DOMAIN_NULL)) 521 return; 522 } 523 524 /* 525 * If the requested account name is "guest" (or whatever 526 * our guest account is named) then don't handle it here. 527 * Let this request fall through to smb_logon_guest(). 528 */ 529 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 530 if (smb_strcasecmp(guest, user_info->lg_e_username, 0) == 0) 531 return; 532 533 status = smb_token_auth_local(user_info, token, &smbpw); 534 if (status == NT_STATUS_SUCCESS) 535 status = smb_token_setup_local(&smbpw, token); 536 537 user_info->lg_status = status; 538 } 539 540 /* 541 * Guest authentication. This may be a local guest account or the guest 542 * account may be mapped to a local account. These accounts are regular 543 * accounts with normal password protection. 544 * 545 * Only proceed with a guest logon if previous logon options have resulted 546 * in NO_SUCH_USER. 547 * 548 * If we are not going to attempt authentication, this function must return 549 * without updating the status. 550 */ 551 static void 552 smb_logon_guest(smb_logon_t *user_info, smb_token_t *token) 553 { 554 char guest[SMB_USERNAME_MAXLEN]; 555 smb_passwd_t smbpw; 556 char *temp; 557 558 if (user_info->lg_status != NT_STATUS_NO_SUCH_USER) 559 return; 560 561 /* Get the name of the guest account. */ 562 smb_guest_account(guest, SMB_USERNAME_MAXLEN); 563 564 /* Does the guest account exist? */ 565 if (smb_pwd_getpwnam(guest, &smbpw) == NULL) 566 return; 567 568 /* Is it enabled? (empty p/w is OK) */ 569 if (smbpw.pw_flags & SMB_PWF_DISABLE) 570 return; 571 572 /* 573 * OK, give the client a guest logon. Note that on entry, 574 * lg_e_username is typically something other than "guest" 575 * so we need to set the effective username when createing 576 * the guest token. 577 */ 578 temp = user_info->lg_e_username; 579 user_info->lg_e_username = guest; 580 user_info->lg_status = smb_token_setup_guest(user_info, token); 581 user_info->lg_e_username = temp; 582 } 583 584 /* 585 * If user_info represents an anonymous user then setup the token. 586 * Otherwise return without updating the status. 587 */ 588 static void 589 smb_logon_anon(smb_logon_t *user_info, smb_token_t *token) 590 { 591 if (user_info->lg_flags & SMB_ATF_ANON) 592 user_info->lg_status = smb_token_setup_anon(token); 593 } 594 595 /* 596 * Try both LM hash and NT hashes with user's password(s) to authenticate 597 * the user. 598 */ 599 static uint32_t 600 smb_token_auth_local(smb_logon_t *user_info, smb_token_t *token, 601 smb_passwd_t *smbpw) 602 { 603 boolean_t ok; 604 uint32_t status = NT_STATUS_SUCCESS; 605 606 if (smb_pwd_getpwnam(user_info->lg_e_username, smbpw) == NULL) 607 return (NT_STATUS_NO_SUCH_USER); 608 609 if (smbpw->pw_flags & SMB_PWF_DISABLE) 610 return (NT_STATUS_ACCOUNT_DISABLED); 611 612 if ((smbpw->pw_flags & (SMB_PWF_LM | SMB_PWF_NT)) == 0) { 613 /* 614 * The SMB passwords have not been set. 615 * Return an error that suggests the 616 * password needs to be set. 617 */ 618 return (NT_STATUS_PASSWORD_EXPIRED); 619 } 620 621 token->tkn_ssnkey.val = malloc(SMBAUTH_SESSION_KEY_SZ); 622 if (token->tkn_ssnkey.val == NULL) 623 return (NT_STATUS_NO_MEMORY); 624 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 625 626 ok = smb_auth_validate( 627 smbpw, 628 user_info->lg_domain, 629 user_info->lg_username, 630 user_info->lg_challenge_key.val, 631 user_info->lg_challenge_key.len, 632 user_info->lg_nt_password.val, 633 user_info->lg_nt_password.len, 634 user_info->lg_lm_password.val, 635 user_info->lg_lm_password.len, 636 token->tkn_ssnkey.val); 637 if (ok) 638 return (NT_STATUS_SUCCESS); 639 640 free(token->tkn_ssnkey.val); 641 token->tkn_ssnkey.val = NULL; 642 token->tkn_ssnkey.len = 0; 643 644 status = NT_STATUS_WRONG_PASSWORD; 645 syslog(LOG_NOTICE, "logon[%s\\%s]: %s", 646 user_info->lg_e_domain, user_info->lg_e_username, 647 xlate_nt_status(status)); 648 649 return (status); 650 } 651 652 /* 653 * Setup an access token for the specified local user. 654 */ 655 static uint32_t 656 smb_token_setup_local(smb_passwd_t *smbpw, smb_token_t *token) 657 { 658 idmap_stat stat; 659 smb_idmap_batch_t sib; 660 smb_idmap_t *umap, *gmap; 661 struct passwd pw; 662 char pwbuf[1024]; 663 char nbname[NETBIOS_NAME_SZ]; 664 665 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 666 token->tkn_account_name = strdup(smbpw->pw_name); 667 token->tkn_domain_name = strdup(nbname); 668 669 if (token->tkn_account_name == NULL || 670 token->tkn_domain_name == NULL) 671 return (NT_STATUS_NO_MEMORY); 672 673 if (getpwuid_r(smbpw->pw_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 674 return (NT_STATUS_NO_SUCH_USER); 675 676 /* Get the SID for user's uid & gid */ 677 stat = smb_idmap_batch_create(&sib, 2, SMB_IDMAP_ID2SID); 678 if (stat != IDMAP_SUCCESS) 679 return (NT_STATUS_INTERNAL_ERROR); 680 681 umap = &sib.sib_maps[0]; 682 stat = smb_idmap_batch_getsid(sib.sib_idmaph, umap, pw.pw_uid, 683 SMB_IDMAP_USER); 684 685 if (stat != IDMAP_SUCCESS) { 686 smb_idmap_batch_destroy(&sib); 687 return (NT_STATUS_INTERNAL_ERROR); 688 } 689 690 gmap = &sib.sib_maps[1]; 691 stat = smb_idmap_batch_getsid(sib.sib_idmaph, gmap, pw.pw_gid, 692 SMB_IDMAP_GROUP); 693 694 if (stat != IDMAP_SUCCESS) { 695 smb_idmap_batch_destroy(&sib); 696 return (NT_STATUS_INTERNAL_ERROR); 697 } 698 699 if (smb_idmap_batch_getmappings(&sib) != IDMAP_SUCCESS) 700 return (NT_STATUS_INTERNAL_ERROR); 701 702 token->tkn_user.i_sid = smb_sid_dup(umap->sim_sid); 703 token->tkn_primary_grp.i_sid = smb_sid_dup(gmap->sim_sid); 704 705 smb_idmap_batch_destroy(&sib); 706 707 if (token->tkn_user.i_sid == NULL || 708 token->tkn_primary_grp.i_sid == NULL) 709 return (NT_STATUS_NO_MEMORY); 710 711 return (smb_token_setup_wingrps(token)); 712 } 713 714 /* 715 * Setup access token for guest connections 716 */ 717 static uint32_t 718 smb_token_setup_guest(smb_logon_t *user_info, smb_token_t *token) 719 { 720 token->tkn_account_name = strdup(user_info->lg_e_username); 721 722 (void) rw_rdlock(&smb_logoninit_rwl); 723 token->tkn_domain_name = strdup(smb_guest.a_domain); 724 token->tkn_user.i_sid = smb_sid_dup(smb_guest.a_sid); 725 token->tkn_primary_grp.i_sid = smb_sid_dup(smb_domusers.a_sid); 726 (void) rw_unlock(&smb_logoninit_rwl); 727 token->tkn_flags = SMB_ATF_GUEST; 728 729 /* 730 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the 731 * Client": 732 * The 'SessionBaseKey' for Guests is 16-bytes of 0s. 733 */ 734 token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ); 735 736 if (token->tkn_account_name == NULL || 737 token->tkn_domain_name == NULL || 738 token->tkn_user.i_sid == NULL || 739 token->tkn_primary_grp.i_sid == NULL || 740 token->tkn_ssnkey.val == NULL) 741 return (NT_STATUS_NO_MEMORY); 742 743 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 744 return (smb_token_setup_wingrps(token)); 745 } 746 747 /* 748 * Setup access token for anonymous connections 749 */ 750 static uint32_t 751 smb_token_setup_anon(smb_token_t *token) 752 { 753 smb_sid_t *user_sid; 754 755 token->tkn_account_name = strdup("Anonymous"); 756 token->tkn_domain_name = strdup("NT Authority"); 757 user_sid = smb_wka_get_sid("Anonymous"); 758 token->tkn_user.i_sid = smb_sid_dup(user_sid); 759 token->tkn_primary_grp.i_sid = smb_sid_dup(user_sid); 760 token->tkn_flags = SMB_ATF_ANON; 761 762 /* 763 * [MS-NLMP] 3.2.5.1.2 "Server Receives an AUTHENTICATE_MESSAGE from the 764 * Client": 765 * The 'SessionBaseKey' for Anonymous users is 16-bytes of 0s. 766 */ 767 token->tkn_ssnkey.val = calloc(1, SMBAUTH_SESSION_KEY_SZ); 768 769 if (token->tkn_account_name == NULL || 770 token->tkn_domain_name == NULL || 771 token->tkn_user.i_sid == NULL || 772 token->tkn_primary_grp.i_sid == NULL || 773 token->tkn_ssnkey.val == NULL) 774 return (NT_STATUS_NO_MEMORY); 775 776 token->tkn_ssnkey.len = SMBAUTH_SESSION_KEY_SZ; 777 return (smb_token_setup_wingrps(token)); 778 } 779 780 /* 781 * smb_token_user_sid 782 * 783 * Return a pointer to the user SID in the specified token. A null 784 * pointer indicates an error. 785 */ 786 static smb_sid_t * 787 smb_token_user_sid(smb_token_t *token) 788 { 789 return ((token) ? token->tkn_user.i_sid : NULL); 790 } 791 792 /* 793 * smb_token_group_sid 794 * 795 * Return a pointer to the group SID as indicated by the iterator. 796 * Setting the iterator to 0 before calling this function will return 797 * the first group, which will always be the primary group. The 798 * iterator will be incremented before returning the SID so that this 799 * function can be used to cycle through the groups. The caller can 800 * adjust the iterator as required between calls to obtain any specific 801 * group. 802 * 803 * On success a pointer to the appropriate group SID will be returned. 804 * Otherwise a null pointer will be returned. 805 */ 806 static smb_sid_t * 807 smb_token_group_sid(smb_token_t *token, int *iterator) 808 { 809 int index; 810 811 if (token == NULL || iterator == NULL) 812 return (NULL); 813 814 if (token->tkn_win_grps.i_ids == NULL) 815 return (NULL); 816 817 index = *iterator; 818 819 if (index < 0 || index >= token->tkn_win_grps.i_cnt) 820 return (NULL); 821 822 ++(*iterator); 823 return (token->tkn_win_grps.i_ids[index].i_sid); 824 } 825 826 /* 827 * smb_token_is_member 828 * 829 * This function will determine whether or not the specified SID is a 830 * member of a token. The user SID and all group SIDs are tested. 831 * Returns 1 if the SID is a member of the token. Otherwise returns 0. 832 */ 833 static boolean_t 834 smb_token_is_member(smb_token_t *token, smb_sid_t *sid) 835 { 836 smb_sid_t *tsid; 837 int iterator = 0; 838 839 if (token == NULL || sid == NULL) 840 return (B_FALSE); 841 842 tsid = smb_token_user_sid(token); 843 while (tsid) { 844 if (smb_sid_cmp(tsid, sid)) 845 return (B_TRUE); 846 847 tsid = smb_token_group_sid(token, &iterator); 848 } 849 850 return (B_FALSE); 851 } 852 853 /* 854 * smb_token_log 855 * 856 * Diagnostic routine to write the contents of a token to the log. 857 */ 858 void 859 smb_token_log(smb_token_t *token) 860 { 861 smb_ids_t *w_grps; 862 smb_id_t *grp; 863 smb_posix_grps_t *x_grps; 864 char sidstr[SMB_SID_STRSZ]; 865 int i; 866 867 if (token == NULL) 868 return; 869 870 syslog(LOG_DEBUG, "Token for %s\\%s", 871 (token->tkn_domain_name) ? token->tkn_domain_name : "-NULL-", 872 (token->tkn_account_name) ? token->tkn_account_name : "-NULL-"); 873 874 syslog(LOG_DEBUG, " User->Attr: %d", token->tkn_user.i_attrs); 875 smb_sid_tostr((smb_sid_t *)token->tkn_user.i_sid, sidstr); 876 syslog(LOG_DEBUG, " User->Sid: %s (id=%u)", sidstr, 877 token->tkn_user.i_id); 878 879 smb_sid_tostr((smb_sid_t *)token->tkn_owner.i_sid, sidstr); 880 syslog(LOG_DEBUG, " Ownr->Sid: %s (id=%u)", 881 sidstr, token->tkn_owner.i_id); 882 883 smb_sid_tostr((smb_sid_t *)token->tkn_primary_grp.i_sid, sidstr); 884 syslog(LOG_DEBUG, " PGrp->Sid: %s (id=%u)", 885 sidstr, token->tkn_primary_grp.i_id); 886 887 w_grps = &token->tkn_win_grps; 888 if (w_grps->i_ids) { 889 syslog(LOG_DEBUG, " Windows groups: %d", w_grps->i_cnt); 890 grp = w_grps->i_ids; 891 for (i = 0; i < w_grps->i_cnt; ++i, grp++) { 892 syslog(LOG_DEBUG, 893 " Grp[%d].Attr:%d", i, grp->i_attrs); 894 if (grp->i_sid != NULL) { 895 smb_sid_tostr((smb_sid_t *)grp->i_sid, sidstr); 896 syslog(LOG_DEBUG, 897 " Grp[%d].Sid: %s (id=%u)", i, sidstr, 898 grp->i_id); 899 } 900 } 901 } else { 902 syslog(LOG_DEBUG, " No Windows groups"); 903 } 904 905 x_grps = token->tkn_posix_grps; 906 if (x_grps) { 907 syslog(LOG_DEBUG, " Solaris groups: %d", x_grps->pg_ngrps); 908 for (i = 0; i < x_grps->pg_ngrps; i++) 909 syslog(LOG_DEBUG, " %u", x_grps->pg_grps[i]); 910 } else { 911 syslog(LOG_DEBUG, " No Solaris groups"); 912 } 913 914 if (token->tkn_privileges) 915 smb_privset_log(token->tkn_privileges); 916 else 917 syslog(LOG_DEBUG, " No privileges"); 918 } 919 920 /* 921 * Sets up local and well-known group membership for the given 922 * token. Two assumptions have been made here: 923 * 924 * a) token already contains a valid user SID so that group 925 * memberships can be established 926 * 927 * b) token belongs to a local or anonymous user 928 */ 929 static uint32_t 930 smb_token_setup_wingrps(smb_token_t *token) 931 { 932 smb_ids_t tkn_grps; 933 uint32_t status; 934 935 936 /* 937 * We always want the user's primary group in the list 938 * of groups. 939 */ 940 tkn_grps.i_cnt = 1; 941 if ((tkn_grps.i_ids = malloc(sizeof (smb_id_t))) == NULL) 942 return (NT_STATUS_NO_MEMORY); 943 944 tkn_grps.i_ids->i_sid = smb_sid_dup(token->tkn_primary_grp.i_sid); 945 tkn_grps.i_ids->i_attrs = token->tkn_primary_grp.i_attrs; 946 if (tkn_grps.i_ids->i_sid == NULL) { 947 smb_ids_free(&tkn_grps); 948 return (NT_STATUS_NO_MEMORY); 949 } 950 951 status = smb_sam_usr_groups(token->tkn_user.i_sid, &tkn_grps); 952 if (status != NT_STATUS_SUCCESS) { 953 smb_ids_free(&tkn_grps); 954 return (status); 955 } 956 957 status = smb_wka_token_groups(token->tkn_flags, &tkn_grps); 958 if (status != NT_STATUS_SUCCESS) { 959 smb_ids_free(&tkn_grps); 960 return (status); 961 } 962 963 token->tkn_win_grps = tkn_grps; 964 return (status); 965 } 966 967 /* 968 * Returns the guest account name in the provided buffer. 969 * 970 * By default the name would be "guest" unless there's 971 * a idmap name-based rule which maps the guest to a local 972 * Solaris user in which case the name of that user is 973 * returned. 974 */ 975 static void 976 smb_guest_account(char *guest, size_t buflen) 977 { 978 idmap_stat stat; 979 uid_t guest_uid; 980 struct passwd pw; 981 char pwbuf[1024]; 982 int idtype; 983 984 /* default Guest account name */ 985 (void) rw_rdlock(&smb_logoninit_rwl); 986 (void) strlcpy(guest, smb_guest.a_name, buflen); 987 988 idtype = SMB_IDMAP_USER; 989 stat = smb_idmap_getid(smb_guest.a_sid, &guest_uid, &idtype); 990 (void) rw_unlock(&smb_logoninit_rwl); 991 992 if (stat != IDMAP_SUCCESS) 993 return; 994 995 /* If Ephemeral ID return the default name */ 996 if (IDMAP_ID_IS_EPHEMERAL(guest_uid)) 997 return; 998 999 if (getpwuid_r(guest_uid, &pw, pwbuf, sizeof (pwbuf)) == NULL) 1000 return; 1001 1002 (void) strlcpy(guest, pw.pw_name, buflen); 1003 } 1004