1da6c28aaSamw /* 2da6c28aaSamw * CDDL HEADER START 3da6c28aaSamw * 4da6c28aaSamw * The contents of this file are subject to the terms of the 5da6c28aaSamw * Common Development and Distribution License (the "License"). 6da6c28aaSamw * You may not use this file except in compliance with the License. 7da6c28aaSamw * 8da6c28aaSamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9da6c28aaSamw * or http://www.opensolaris.org/os/licensing. 10da6c28aaSamw * See the License for the specific language governing permissions 11da6c28aaSamw * and limitations under the License. 12da6c28aaSamw * 13da6c28aaSamw * When distributing Covered Code, include this CDDL HEADER in each 14da6c28aaSamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15da6c28aaSamw * If applicable, add the following below this CDDL HEADER, with the 16da6c28aaSamw * fields enclosed by brackets "[]" replaced with your own identifying 17da6c28aaSamw * information: Portions Copyright [yyyy] [name of copyright owner] 18da6c28aaSamw * 19da6c28aaSamw * CDDL HEADER END 20da6c28aaSamw */ 21da6c28aaSamw /* 229fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23da6c28aaSamw * Use is subject to license terms. 24b819cea2SGordon Ross * 2512b65585SGordon Ross * Copyright 2015 Nexenta Systems, Inc. All rights reserved. 26da6c28aaSamw */ 27da6c28aaSamw 28da6c28aaSamw #ifndef _SMB_TOKEN_H 29da6c28aaSamw #define _SMB_TOKEN_H 30da6c28aaSamw 31b3700b07SGordon Ross #include <smbsrv/smb_inet.h> 32da6c28aaSamw #include <smbsrv/smb_privilege.h> 336537f381Sas #include <smbsrv/smb_sid.h> 34da6c28aaSamw 35b3700b07SGordon Ross /* 36b3700b07SGordon Ross * Don't want <smbsrv/netrauth.h> in here, but 37b3700b07SGordon Ross * uts/common/fs/smbsrv/smb_authenticate.c 38b3700b07SGordon Ross * wants this. Todo: cleanup 39b3700b07SGordon Ross */ 40b3700b07SGordon Ross #define NETR_NETWORK_LOGON 0x02 41b3700b07SGordon Ross 42da6c28aaSamw #ifdef __cplusplus 43da6c28aaSamw extern "C" { 44da6c28aaSamw #endif 45da6c28aaSamw 46da6c28aaSamw /* 4712b65585SGordon Ross * 32-bit opaque buffer (non-null terminated strings) 4812b65585SGordon Ross * See also: smb_buf32_xdr() 49da6c28aaSamw */ 50b819cea2SGordon Ross typedef struct smb_buf32 { 51b819cea2SGordon Ross uint32_t len; 52b819cea2SGordon Ross uint8_t *val; 53b819cea2SGordon Ross } smb_buf32_t; 54b819cea2SGordon Ross 55da6c28aaSamw /* 56da6c28aaSamw * Access Token 57da6c28aaSamw * 58da6c28aaSamw * An access token identifies a user, the user's privileges and the 59da6c28aaSamw * list of groups of which the user is a member. This information is 60da6c28aaSamw * used when access is requested to an object by comparing this 61da6c28aaSamw * information with the DACL in the object's security descriptor. 62da6c28aaSamw * 637f667e74Sjose borrego * There should be one unique token per user per session per client. 647f667e74Sjose borrego * 65da6c28aaSamw * Access Token Flags 66da6c28aaSamw * 67da6c28aaSamw * SMB_ATF_GUEST Token belongs to guest user 68da6c28aaSamw * SMB_ATF_ANON Token belongs to anonymous user 69da6c28aaSamw * and it's only good for IPC Connection. 70da6c28aaSamw * SMB_ATF_POWERUSER Token belongs to a Power User member 71da6c28aaSamw * SMB_ATF_BACKUPOP Token belongs to a Power User member 72da6c28aaSamw * SMB_ATF_ADMIN Token belongs to a Domain Admins member 73da6c28aaSamw */ 74*a44e7c2cSGordon Ross #define SMB_ATF_ANON 0x00000001 75*a44e7c2cSGordon Ross #define SMB_ATF_GUEST 0x00000002 76da6c28aaSamw #define SMB_ATF_POWERUSER 0x00000004 77da6c28aaSamw #define SMB_ATF_BACKUPOP 0x00000008 78da6c28aaSamw #define SMB_ATF_ADMIN 0x00000010 79da6c28aaSamw 80da6c28aaSamw #define SMB_POSIX_GRPS_SIZE(n) \ 81da6c28aaSamw (sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t)) 82da6c28aaSamw /* 83da6c28aaSamw * It consists of the primary and supplementary POSIX groups. 84a90cf9f2SGordon Ross * See also: smb_posix_grps_xdr() 85da6c28aaSamw */ 86da6c28aaSamw typedef struct smb_posix_grps { 877f667e74Sjose borrego uint32_t pg_ngrps; 887f667e74Sjose borrego gid_t pg_grps[ANY_SIZE_ARRAY]; 89da6c28aaSamw } smb_posix_grps_t; 90da6c28aaSamw 91a90cf9f2SGordon Ross /* 92a90cf9f2SGordon Ross * An NT-style logon "token" (NT terminology) 93a90cf9f2SGordon Ross * See also: smb_token_xdr() 94a90cf9f2SGordon Ross */ 95da6c28aaSamw typedef struct smb_token { 967f667e74Sjose borrego smb_id_t tkn_user; 977f667e74Sjose borrego smb_id_t tkn_owner; 987f667e74Sjose borrego smb_id_t tkn_primary_grp; 997f667e74Sjose borrego smb_ids_t tkn_win_grps; 1007f667e74Sjose borrego smb_privset_t *tkn_privileges; 1017f667e74Sjose borrego char *tkn_account_name; 1027f667e74Sjose borrego char *tkn_domain_name; 1037f667e74Sjose borrego uint32_t tkn_flags; 1047f667e74Sjose borrego uint32_t tkn_audit_sid; 10512b65585SGordon Ross smb_buf32_t tkn_ssnkey; 106da6c28aaSamw smb_posix_grps_t *tkn_posix_grps; 107da6c28aaSamw } smb_token_t; 108da6c28aaSamw 1099fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /* 1109fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * Details required to authenticate a user. 111a90cf9f2SGordon Ross * See also: smb_logon_xdr() 1129fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States */ 1139fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States typedef struct smb_logon { 1149fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint16_t lg_level; 1159fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States char *lg_username; /* requested username */ 1169fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States char *lg_domain; /* requested domain */ 1179fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States char *lg_e_username; /* effective username */ 1189fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States char *lg_e_domain; /* effective domain */ 1199fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States char *lg_workstation; 1209fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_inaddr_t lg_clnt_ipaddr; 1219fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_inaddr_t lg_local_ipaddr; 1229fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint16_t lg_local_port; 1239fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_buf32_t lg_challenge_key; 1249fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_buf32_t lg_nt_password; 1259fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_buf32_t lg_lm_password; 12612b65585SGordon Ross uint32_t lg_ntlm_flags; 1279fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States int lg_native_os; 1289fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States int lg_native_lm; 1299fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint32_t lg_flags; 1309fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint32_t lg_logon_id; /* filled in user space */ 1319fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint32_t lg_domain_type; /* filled in user space */ 1329fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint32_t lg_secmode; /* filled in user space */ 1339fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint32_t lg_status; /* filled in user space */ 1349fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States } smb_logon_t; 135da6c28aaSamw 13612b65585SGordon Ross /* 13712b65585SGordon Ross * This is the name of the local (AF_UNIX) socket 13812b65585SGordon Ross * where the SMB auth. service listens. 13912b65585SGordon Ross */ 14012b65585SGordon Ross #define SMB_AUTHSVC_SOCKNAME "/var/smb/lipc/smbauth" 14112b65585SGordon Ross 14212b65585SGordon Ross /* 14312b65585SGordon Ross * Maximum number of authentcation conversations at one time. 14412b65585SGordon Ross * Note this is _NOT_ the max. number of logged on users, 14512b65585SGordon Ross * which can be much larger. 14612b65585SGordon Ross */ 14712b65585SGordon Ross #define SMB_AUTHSVC_MAXTHREAD 256 14812b65585SGordon Ross 14912b65585SGordon Ross /* 15012b65585SGordon Ross * Messages to and from the local security authority 15112b65585SGordon Ross * Type codes: 15212b65585SGordon Ross */ 15312b65585SGordon Ross typedef enum smb_lsa_mtype { 15412b65585SGordon Ross /* reply types */ 15512b65585SGordon Ross LSA_MTYPE_OK = 0, 15612b65585SGordon Ross LSA_MTYPE_ERROR, 15712b65585SGordon Ross LSA_MTYPE_ES_DONE, /* ext. sec: authenticated */ 15812b65585SGordon Ross LSA_MTYPE_ES_CONT, /* more processing required */ 15912b65585SGordon Ross LSA_MTYPE_TOKEN, /* smb_token_t */ 16012b65585SGordon Ross 16112b65585SGordon Ross /* request types */ 16212b65585SGordon Ross LSA_MTYPE_OLDREQ, /* non-ext. sec. session setup */ 16312b65585SGordon Ross LSA_MTYPE_CLINFO, /* client info sent at start of ES */ 16412b65585SGordon Ross LSA_MTYPE_ESFIRST, /* spnego initial message */ 16512b65585SGordon Ross LSA_MTYPE_ESNEXT, /* spnego continuation */ 16612b65585SGordon Ross LSA_MTYPE_GETTOK /* after ES auth, get token */ 16712b65585SGordon Ross } smb_lsa_mtype_t; 16812b65585SGordon Ross 16912b65585SGordon Ross /* 17012b65585SGordon Ross * msg: header common to all message types 17112b65585SGordon Ross */ 17212b65585SGordon Ross typedef struct smb_lsa_msg_hdr { 17312b65585SGordon Ross uint32_t lmh_msgtype; /* smb_lsa_mtype_t */ 17412b65585SGordon Ross uint32_t lmh_msglen; /* size of what follows */ 17512b65585SGordon Ross } smb_lsa_msg_hdr_t; 17612b65585SGordon Ross 17712b65585SGordon Ross /* 17812b65585SGordon Ross * eresp: error response 17912b65585SGordon Ross * msgtype: LSA_MTYPE_ERESP 18012b65585SGordon Ross */ 18112b65585SGordon Ross typedef struct smb_lsa_eresp { 18212b65585SGordon Ross uint32_t ler_ntstatus; 18312b65585SGordon Ross uint16_t ler_errclass; 18412b65585SGordon Ross uint16_t ler_errcode; 18512b65585SGordon Ross } smb_lsa_eresp_t; 18612b65585SGordon Ross 18712b65585SGordon Ross /* 18812b65585SGordon Ross * Message for LSA_MTYPE_CLINFO 18912b65585SGordon Ross */ 19012b65585SGordon Ross typedef struct smb_lsa_clinfo { 19112b65585SGordon Ross smb_inaddr_t lci_clnt_ipaddr; 19212b65585SGordon Ross unsigned char lci_challenge_key[8]; 19312b65585SGordon Ross int lci_native_os; 19412b65585SGordon Ross int lci_native_lm; 19512b65585SGordon Ross } smb_lsa_clinfo_t; 19612b65585SGordon Ross 19712b65585SGordon Ross struct XDR; 19812b65585SGordon Ross int smb_logon_xdr(struct XDR *, smb_logon_t *); 19912b65585SGordon Ross int smb_token_xdr(struct XDR *, smb_token_t *); 200da6c28aaSamw 201b819cea2SGordon Ross #if defined(_KERNEL) || defined(_FAKE_KERNEL) 202b819cea2SGordon Ross void smb_token_free(smb_token_t *); 203b819cea2SGordon Ross #else /* _KERNEL */ 2049fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_token_t *smb_logon(smb_logon_t *); 2059fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States void smb_logon_abort(void); 2069fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States void smb_token_destroy(smb_token_t *); 2079fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States uint8_t *smb_token_encode(smb_token_t *, uint32_t *); 2089fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States void smb_token_log(smb_token_t *); 2099fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States smb_logon_t *smb_logon_decode(uint8_t *, uint32_t); 2109fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States void smb_logon_free(smb_logon_t *); 211da6c28aaSamw #endif /* _KERNEL */ 212da6c28aaSamw 213da6c28aaSamw int smb_token_query_privilege(smb_token_t *token, int priv_id); 2149fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States boolean_t smb_token_valid(smb_token_t *); 215da6c28aaSamw 216da6c28aaSamw #ifdef __cplusplus 217da6c28aaSamw } 218da6c28aaSamw #endif 219da6c28aaSamw 220da6c28aaSamw #endif /* _SMB_TOKEN_H */ 221