smbsrv/smbd/smbd_join.c

	smbd_join.c revision bbf6f00c25b6a2bed23c35eac6d62998ecdb338c
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * or http://www.opensolaris.org/os/licensing.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Use is subject to license terms.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <syslog.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <synch.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <pthread.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <unistd.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <string.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <strings.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <sys/errno.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libsmb.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libsmbns.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libmlsvc.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/smbinfo.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/ntstatus.h>
8d7e41661dc4633488e93b13363137523ce59977jose borrego#include "smbd.h"
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
8d7e41661dc4633488e93b13363137523ce59977jose borrego * This is a short-lived thread that triggers the initial DC discovery
8d7e41661dc4633488e93b13363137523ce59977jose borrego * at startup.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic pthread_t smb_locate_dc_thr;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic void *smbd_locate_dc_thread(void *);
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic int smbd_get_kpasswd_srv(char *, size_t);
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic uint32_t smbd_join_workgroup(smb_joininfo_t *);
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic uint32_t smbd_join_domain(smb_joininfo_t *);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * smbd_join
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Joins the specified domain/workgroup.
8d7e41661dc4633488e93b13363137523ce59977jose borrego *
8d7e41661dc4633488e93b13363137523ce59977jose borrego * If the security mode or domain name is being changed,
8d7e41661dc4633488e93b13363137523ce59977jose borrego * the caller must restart the service.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwuint32_t
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmbd_join(smb_joininfo_t *info)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    uint32_t status;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego    dssetup_clear_domain_info();
8d7e41661dc4633488e93b13363137523ce59977jose borrego    if (info->mode == SMB_SECMODE_WORKGRP)
8d7e41661dc4633488e93b13363137523ce59977jose borrego        status = smbd_join_workgroup(info);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    else
8d7e41661dc4633488e93b13363137523ce59977jose borrego        status = smbd_join_domain(info);
2c1b14e51525da2c09064641416fc4aed457c72fjose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return (status);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb/*
8d7e41661dc4633488e93b13363137523ce59977jose borrego * smbd_set_netlogon_cred
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb *
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * If the system is joined to an AD domain via kclient, SMB daemon will need
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * to establish the NETLOGON credential chain.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb *
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * Since the kclient has updated the machine password stored in SMF
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * repository, the cached ipc_info must be updated accordingly by calling
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright * smb_ipc_commit.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb *
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * Due to potential replication delays in a multiple DC environment, the
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * NETLOGON rpc request must be sent to the DC, to which the KPASSWD request
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * is sent. If the DC discovered by the SMB daemon is different than the
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * kpasswd server, the current connection with the DC will be torn down
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * and a DC discovery process will be triggered to locate the kpasswd
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * server.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb *
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * If joining a new domain, the domain_name property must be set after a
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * successful credential chain setup.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb */
8d7e41661dc4633488e93b13363137523ce59977jose borregoboolean_t
8d7e41661dc4633488e93b13363137523ce59977jose borregosmbd_set_netlogon_cred(void)
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb{
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    char kpasswd_srv[MAXHOSTNAMELEN];
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    char kpasswd_domain[MAXHOSTNAMELEN];
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    char sam_acct[SMB_SAMACCT_MAXLEN];
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    char ipc_usr[SMB_USERNAME_MAXLEN];
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    char *dom;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    boolean_t new_domain = B_FALSE;
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_domainex_t dxi;
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_domain_t *di;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (B_FALSE);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    if (smb_match_netlogon_seqnum())
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (B_FALSE);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    (void) smb_config_getstr(SMB_CI_KPASSWD_SRV, kpasswd_srv,
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb        sizeof (kpasswd_srv));
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    if (*kpasswd_srv == '\0')
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (B_FALSE);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    /*
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     * If the domain join initiated by smbadm join CLI is in
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     * progress, don't do anything.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     */
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    (void) smb_getsamaccount(sam_acct, sizeof (sam_acct));
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_ipc_get_user(ipc_usr, SMB_USERNAME_MAXLEN);
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown    if (smb_strcasecmp(ipc_usr, sam_acct, 0))
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (B_FALSE);
8d7e41661dc4633488e93b13363137523ce59977jose borrego
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    di = &dxi.d_primary;
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    if (!smb_domain_getinfo(&dxi))
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright        (void) smb_getfqdomainname(di->di_fqname, MAXHOSTNAMELEN);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    (void) smb_config_getstr(SMB_CI_KPASSWD_DOMAIN, kpasswd_domain,
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb        sizeof (kpasswd_domain));
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    if (*kpasswd_domain != '\0' &&
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown        smb_strcasecmp(kpasswd_domain, di->di_fqname, 0)) {
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb        dom = kpasswd_domain;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb        new_domain = B_TRUE;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    } else {
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright        dom = di->di_fqname;
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    }
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    /*
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     * DC discovery will be triggered if the domain info is not
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     * currently cached or the SMB daemon has previously discovered a DC
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     * that is different than the kpasswd server.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb     */
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown    if (new_domain || smb_strcasecmp(dxi.d_dc, kpasswd_srv, 0) != 0) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright        if (*dxi.d_dc != '\0')
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright            mlsvc_disconnect(dxi.d_dc);
8d7e41661dc4633488e93b13363137523ce59977jose borrego
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright        if (!smb_locate_dc(dom, kpasswd_srv, &dxi)) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright            if (!smb_locate_dc(di->di_fqname, "", &dxi)) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright                smb_ipc_commit();
8d7e41661dc4633488e93b13363137523ce59977jose borrego                return (B_FALSE);
8d7e41661dc4633488e93b13363137523ce59977jose borrego            }
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb        }
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    }
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_ipc_commit();
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    if (mlsvc_netlogon(dxi.d_dc, di->di_nbname)) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego        syslog(LOG_ERR,
8d7e41661dc4633488e93b13363137523ce59977jose borrego            "failed to establish NETLOGON credential chain");
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (B_TRUE);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    } else {
8c10a8659ac31335ed870a1711c0182623f72fd6as        if (new_domain) {
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright            smb_config_setdomaininfo(di->di_nbname, di->di_fqname,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_sid,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_u.di_dns.ddi_forest,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_u.di_dns.ddi_guid);
8d7e41661dc4633488e93b13363137523ce59977jose borrego            (void) smb_config_setstr(SMB_CI_KPASSWD_DOMAIN, "");
8c10a8659ac31335ed870a1711c0182623f72fd6as        }
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb    }
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return (new_domain);
8d7e41661dc4633488e93b13363137523ce59977jose borrego}
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego/*
8d7e41661dc4633488e93b13363137523ce59977jose borrego * smbd_locate_dc_start()
8d7e41661dc4633488e93b13363137523ce59977jose borrego *
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Initialization of the thread that triggers the initial DC discovery
8d7e41661dc4633488e93b13363137523ce59977jose borrego * when SMB daemon starts up.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Returns 0 on success, an error number if thread creation fails.
8d7e41661dc4633488e93b13363137523ce59977jose borrego */
8d7e41661dc4633488e93b13363137523ce59977jose borregoint
8d7e41661dc4633488e93b13363137523ce59977jose borregosmbd_locate_dc_start(void)
8d7e41661dc4633488e93b13363137523ce59977jose borrego{
8d7e41661dc4633488e93b13363137523ce59977jose borrego    pthread_attr_t tattr;
8d7e41661dc4633488e93b13363137523ce59977jose borrego    int rc;
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) pthread_attr_init(&tattr);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    rc = pthread_create(&smb_locate_dc_thr, &tattr, smbd_locate_dc_thread,
8d7e41661dc4633488e93b13363137523ce59977jose borrego        NULL);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) pthread_attr_destroy(&tattr);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return (rc);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb}
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smbd_locate_dc_thread()
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * If necessary, set up Netlogon credential chain and locate a
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * domain controller in the given resource domain.
8d7e41661dc4633488e93b13363137523ce59977jose borrego *
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The domain configuration will be updated upon a successful DC discovery.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
8d7e41661dc4633488e93b13363137523ce59977jose borrego/*ARGSUSED*/
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregostatic void *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregosmbd_locate_dc_thread(void *arg)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego{
8d7e41661dc4633488e93b13363137523ce59977jose borrego    char domain[MAXHOSTNAMELEN];
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_domainex_t new_domain;
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_domain_t *di;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    if (!smb_match_netlogon_seqnum()) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego        (void) smbd_set_netlogon_cred();
8d7e41661dc4633488e93b13363137523ce59977jose borrego    } else {
8d7e41661dc4633488e93b13363137523ce59977jose borrego        if (smb_getfqdomainname(domain, MAXHOSTNAMELEN) != 0) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego            (void) smb_getdomainname(domain, MAXHOSTNAMELEN);
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown            (void) smb_strupr(domain);
8d7e41661dc4633488e93b13363137523ce59977jose borrego        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright        if (smb_locate_dc(domain, "", &new_domain)) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright            di = &new_domain.d_primary;
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright            smb_config_setdomaininfo(di->di_nbname, di->di_fqname,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_sid,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_u.di_dns.ddi_forest,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_u.di_dns.ddi_guid);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright        }
8d7e41661dc4633488e93b13363137523ce59977jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    return (NULL);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego}
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Retrieve the kpasswd server from krb5.conf.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Initialization of the locate dc thread.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Returns 0 on success, an error number if thread creation fails.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic int
8d7e41661dc4633488e93b13363137523ce59977jose borregosmbd_get_kpasswd_srv(char *srv, size_t len)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego{
8d7e41661dc4633488e93b13363137523ce59977jose borrego    FILE *fp;
8d7e41661dc4633488e93b13363137523ce59977jose borrego    static char buf[512];
8d7e41661dc4633488e93b13363137523ce59977jose borrego    char *p;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    *srv = '\0';
8d7e41661dc4633488e93b13363137523ce59977jose borrego    p = getenv("KRB5_CONFIG");
8d7e41661dc4633488e93b13363137523ce59977jose borrego    if (p == NULL || *p == '\0')
8d7e41661dc4633488e93b13363137523ce59977jose borrego        p = "/etc/krb5/krb5.conf";
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    if ((fp = fopen(p, "r")) == NULL)
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (-1);
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    while (fgets(buf, sizeof (buf), fp)) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego        /* Weed out any comment text */
8d7e41661dc4633488e93b13363137523ce59977jose borrego        (void) trim_whitespace(buf);
8d7e41661dc4633488e93b13363137523ce59977jose borrego        if (*buf == '#')
8d7e41661dc4633488e93b13363137523ce59977jose borrego            continue;
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego        if ((p = strstr(buf, "kpasswd_server")) != NULL) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego            if ((p = strchr(p, '=')) != NULL) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego                (void) trim_whitespace(++p);
8d7e41661dc4633488e93b13363137523ce59977jose borrego                (void) strlcpy(srv, p, len);
8d7e41661dc4633488e93b13363137523ce59977jose borrego            }
8d7e41661dc4633488e93b13363137523ce59977jose borrego            break;
8d7e41661dc4633488e93b13363137523ce59977jose borrego        }
8d7e41661dc4633488e93b13363137523ce59977jose borrego    }
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) fclose(fp);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return ((*srv == '\0') ? -1 : 0);
8d7e41661dc4633488e93b13363137523ce59977jose borrego}
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic uint32_t
8d7e41661dc4633488e93b13363137523ce59977jose borregosmbd_join_workgroup(smb_joininfo_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego{
8d7e41661dc4633488e93b13363137523ce59977jose borrego    char nb_domain[SMB_PI_MAX_DOMAIN];
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) smb_config_getstr(SMB_CI_DOMAIN_NAME, nb_domain,
8d7e41661dc4633488e93b13363137523ce59977jose borrego        sizeof (nb_domain));
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    smbd_set_secmode(SMB_SECMODE_WORKGRP);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright    smb_config_setdomaininfo(info->domain_name, "", "", "", "");
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    if (strcasecmp(nb_domain, info->domain_name))
8d7e41661dc4633488e93b13363137523ce59977jose borrego        smb_browser_reconfig();
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return (NT_STATUS_SUCCESS);
8d7e41661dc4633488e93b13363137523ce59977jose borrego}
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic uint32_t
8d7e41661dc4633488e93b13363137523ce59977jose borregosmbd_join_domain(smb_joininfo_t *info)
8d7e41661dc4633488e93b13363137523ce59977jose borrego{
8d7e41661dc4633488e93b13363137523ce59977jose borrego    uint32_t status;
8d7e41661dc4633488e93b13363137523ce59977jose borrego    unsigned char passwd_hash[SMBAUTH_HASH_SZ];
8d7e41661dc4633488e93b13363137523ce59977jose borrego    char dc[MAXHOSTNAMELEN];
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_domainex_t dxi;
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_domain_t *di;
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    /*
8d7e41661dc4633488e93b13363137523ce59977jose borrego     * Ensure that any previous membership of this domain has
8d7e41661dc4633488e93b13363137523ce59977jose borrego     * been cleared from the environment before we start. This
8d7e41661dc4633488e93b13363137523ce59977jose borrego     * will ensure that we don't attempt a NETLOGON_SAMLOGON
8d7e41661dc4633488e93b13363137523ce59977jose borrego     * when attempting to find the PDC.
8d7e41661dc4633488e93b13363137523ce59977jose borrego     */
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) smb_config_setbool(SMB_CI_DOMAIN_MEMB, B_FALSE);
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    if (smb_auth_ntlm_hash(info->domain_passwd, passwd_hash)
8d7e41661dc4633488e93b13363137523ce59977jose borrego        != SMBAUTH_SUCCESS) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego        syslog(LOG_ERR, "smbd: could not compute ntlm hash for '%s'",
8d7e41661dc4633488e93b13363137523ce59977jose borrego            info->domain_username);
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (NT_STATUS_INTERNAL_ERROR);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    }
8d7e41661dc4633488e93b13363137523ce59977jose borrego
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_ipc_set(info->domain_username, passwd_hash);
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    (void) smbd_get_kpasswd_srv(dc, sizeof (dc));
8d7e41661dc4633488e93b13363137523ce59977jose borrego    /* info->domain_name could either be NetBIOS domain name or FQDN */
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    if (smb_locate_dc(info->domain_name, dc, &dxi)) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright        status = mlsvc_join(&dxi, info->domain_username,
8d7e41661dc4633488e93b13363137523ce59977jose borrego            info->domain_passwd);
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego        if (status == NT_STATUS_SUCCESS) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright            di = &dxi.d_primary;
8d7e41661dc4633488e93b13363137523ce59977jose borrego            smbd_set_secmode(SMB_SECMODE_DOMAIN);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright            smb_config_setdomaininfo(di->di_nbname, di->di_fqname,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_sid,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_u.di_dns.ddi_forest,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright                di->di_u.di_dns.ddi_guid);
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright            smb_ipc_commit();
8d7e41661dc4633488e93b13363137523ce59977jose borrego            return (status);
8d7e41661dc4633488e93b13363137523ce59977jose borrego        }
8d7e41661dc4633488e93b13363137523ce59977jose borrego
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright        smb_ipc_rollback();
8d7e41661dc4633488e93b13363137523ce59977jose borrego        syslog(LOG_ERR, "smbd: failed joining %s (%s)",
8d7e41661dc4633488e93b13363137523ce59977jose borrego            info->domain_name, xlate_nt_status(status));
8d7e41661dc4633488e93b13363137523ce59977jose borrego        return (status);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    }
8d7e41661dc4633488e93b13363137523ce59977jose borrego
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright    smb_ipc_rollback();
8d7e41661dc4633488e93b13363137523ce59977jose borrego    syslog(LOG_ERR, "smbd: failed locating domain controller for %s",
8d7e41661dc4633488e93b13363137523ce59977jose borrego        info->domain_name);
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego}