smbsrv/smbd/smbd_join.c

	smbd_join.c revision c8ec8eea9849cac239663c46be8a7f5d2ba7ca00
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * or http://www.opensolaris.org/os/licensing.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Use is subject to license terms.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#pragma ident   "@(#)smbd_join.c    1.9 08/07/17 SMI"
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <syslog.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <synch.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <pthread.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <unistd.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <string.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <strings.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <sys/errno.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libsmb.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libsmbrdr.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libsmbns.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/libmlsvc.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/smbinfo.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/ntstatus.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#include <smbsrv/lsalib.h>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Maximum time to wait for a domain controller (30 seconds).
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#define SMB_NETLOGON_TIMEOUT    30
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Flags used in conjunction with the location and query condition
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * variables.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#define SMB_NETLF_LOCATE_DC 0x00000001
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw#define SMB_NETLF_LSA_QUERY 0x00000002
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwtypedef struct smb_netlogon_info {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char snli_domain[SMB_PI_MAX_DOMAIN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char snli_dc[MAXHOSTNAMELEN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    unsigned snli_flags;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    mutex_t snli_locate_mtx;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    cond_t snli_locate_cv;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    mutex_t snli_query_mtx;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    cond_t snli_query_cv;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    uint32_t snli_status;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw} smb_netlogon_info_t;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic smb_netlogon_info_t smb_netlogon_info;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/* NT4 domain support is not yet available. */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic boolean_t nt4_domain_support = B_FALSE;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic pthread_t lsa_monitor_thr;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic pthread_t dc_browser_thr;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic pthread_t locate_dc_thr;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void *smb_netlogon_lsa_monitor(void *arg);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic void *smb_netlogon_dc_browser(void *arg);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Inline convenience function to find out if the domain information is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * valid. The caller can decide whether or not to wait.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic boolean_t
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmb_ntdomain_is_valid(uint32_t timeout)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    smb_ntdomain_t *info;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if ((info = smb_getdomaininfo(timeout)) != 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        if (info->ipaddr != 0)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            return (B_TRUE);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    return (B_FALSE);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Retrieve the kpasswd server from krb5.conf.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwstatic int
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmbd_get_kpasswd_srv(char *srv, size_t len)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    FILE *fp;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    static char buf[512];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char *p;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    *srv = '\0';
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    p = getenv("KRB5_CONFIG");
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (p == NULL || *p == '\0')
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        p = "/etc/krb5/krb5.conf";
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if ((fp = fopen(p, "r")) == NULL)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        return (-1);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    while (fgets(buf, sizeof (buf), fp)) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        /* Weed out any comment text */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        (void) trim_whitespace(buf);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        if (*buf == '#')
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            continue;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        if ((p = strstr(buf, "kpasswd_server")) != NULL) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            if ((p = strchr(p, '=')) != NULL) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                (void) trim_whitespace(++p);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                (void) strlcpy(srv, p, len);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            break;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) fclose(fp);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    return ((*srv == '\0') ? -1 : 0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * smbd_join
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Joins the specified domain/workgroup
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwuint32_t
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmbd_join(smb_joininfo_t *info)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    smb_ntdomain_t *pi;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    uint32_t status;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    unsigned char passwd_hash[SMBAUTH_HASH_SZ];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char plain_passwd[PASS_LEN + 1];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char plain_user[PASS_LEN + 1];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char nbt_domain[SMB_PI_MAX_DOMAIN];
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    char fqdn[MAXHOSTNAMELEN];
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    char dc[MAXHOSTNAMELEN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char kpasswd_domain[MAXHOSTNAMELEN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) smb_config_getstr(SMB_CI_KPASSWD_DOMAIN, kpasswd_domain,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        MAXHOSTNAMELEN);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (info->mode == SMB_SECMODE_WORKGRP) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        if ((smb_config_get_secmode() == SMB_SECMODE_DOMAIN) &&
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            kpasswd_domain == '\0') {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            if (smb_ads_domain_change_cleanup("") != 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                syslog(LOG_ERR, "smbd: unable to remove the"
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                    " old keys from the Kerberos keytab. "
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                    "Please remove the old keys for your "
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                    "host principal.");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
55bf511df53aad0fdb7eb3fa349f0308cc05234cas        (void) smb_config_getstr(SMB_CI_DOMAIN_NAME, nbt_domain,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            sizeof (nbt_domain));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) smb_config_set_secmode(info->mode);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        (void) smb_config_setstr(SMB_CI_DOMAIN_NAME, info->domain_name);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        if (strcasecmp(nbt_domain, info->domain_name))
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            smb_browser_reconfig();
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return (NT_STATUS_SUCCESS);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    /*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * Ensure that any previous membership of this domain has
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * been cleared from the environment before we start. This
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * will ensure that we don't attempt a NETLOGON_SAMLOGON
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * when attempting to find the PDC.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) smb_config_setbool(SMB_CI_DOMAIN_MEMB, B_FALSE);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) strlcpy(plain_user, info->domain_username, sizeof (plain_user));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) strlcpy(plain_passwd, info->domain_passwd,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        sizeof (plain_passwd));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) smb_resolve_netbiosname(info->domain_name, nbt_domain,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        sizeof (nbt_domain));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (smb_resolve_fqdn(info->domain_name, fqdn, sizeof (fqdn)) != 1) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        syslog(LOG_ERR, "smbd: fully-qualified domain name is unknown");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return (NT_STATUS_INVALID_PARAMETER);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (smb_ads_domain_change_cleanup(fqdn)) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        syslog(LOG_ERR, "smbd: unable to remove the old keys from the"
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            " Kerberos keytab. Please remove the old keys for your "
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            "host principal.");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return (NT_STATUS_INTERNAL_ERROR);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (smb_auth_ntlm_hash(plain_passwd, passwd_hash) != SMBAUTH_SUCCESS) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        status = NT_STATUS_INTERNAL_ERROR;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        syslog(LOG_ERR, "smbd: could not compute ntlm hash for '%s'",
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            plain_user);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return (status);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    smbrdr_ipc_set(plain_user, passwd_hash);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) smbd_get_kpasswd_srv(dc, sizeof (dc));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (smbd_locate_dc(nbt_domain, dc)) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if ((pi = smb_getdomaininfo(0)) == 0) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            if (*dc == '\0')
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                syslog(LOG_ERR, "smbd: could not get domain "
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                    "controller information for '%s'",
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                    info->domain_name);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            else
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                syslog(LOG_ERR, "smbd: could not get the "
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                    "specified domain controller information "
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                    "'%s'", dc);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            return (status);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        /*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego         * Temporary delay before creating
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego         * the workstation trust account.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw         */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        (void) sleep(2);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        status = mlsvc_join(pi->server, pi->domain,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            plain_user, plain_passwd);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        if (status == NT_STATUS_SUCCESS) {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            (void) smb_config_set_secmode(SMB_SECMODE_DOMAIN);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) smb_config_setstr(SMB_CI_DOMAIN_NAME,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                info->domain_name);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            smbrdr_ipc_commit();
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            return (status);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        smbrdr_ipc_rollback();
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        syslog(LOG_ERR, "smbd: failed joining %s (%s)",
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            info->domain_name, xlate_nt_status(status));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        return (status);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    smbrdr_ipc_rollback();
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    syslog(LOG_ERR, "smbd: failed locating domain controller for %s",
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        info->domain_name);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    return (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * smbd_locate_dc
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This is the entry point for discovering a domain controller for the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * specified domain. The caller may block here for around 30 seconds if
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the system has to go to the network and find a domain controller.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Sometime it would be good to change this to smb_locate_pdc and allow
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * the caller to specify whether or not he wants to wait for a response.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The actual work of discovering a DC is handled by other threads.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * All we do here is signal the request and wait for a DC or a timeout.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * domain - domain to be discovered
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * dc - preferred DC. If the preferred DC is set to empty string, it
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *      will attempt to discover any DC in the specified domain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns B_TRUE if a domain controller is available.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwboolean_t
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregosmbd_locate_dc(char *domain, char *dc)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego{
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    int rc;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    timestruc_t to;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (domain == NULL || *domain == '\0')
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        return (B_FALSE);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) mutex_lock(&smb_netlogon_info.snli_locate_mtx);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if ((smb_netlogon_info.snli_flags & SMB_NETLF_LOCATE_DC) == 0) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        smb_netlogon_info.snli_flags |= SMB_NETLF_LOCATE_DC;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) strlcpy(smb_netlogon_info.snli_domain, domain,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            SMB_PI_MAX_DOMAIN);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) strlcpy(smb_netlogon_info.snli_dc, dc,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            MAXHOSTNAMELEN);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) cond_broadcast(&smb_netlogon_info.snli_locate_cv);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    }
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    while (smb_netlogon_info.snli_flags & SMB_NETLF_LOCATE_DC) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        to.tv_sec = SMB_NETLOGON_TIMEOUT;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        to.tv_nsec = 0;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        rc = cond_reltimedwait(&smb_netlogon_info.snli_locate_cv,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            &smb_netlogon_info.snli_locate_mtx, &to);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if (rc == ETIME)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw            break;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) mutex_unlock(&smb_netlogon_info.snli_locate_mtx);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    return (smb_ntdomain_is_valid(0));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego}
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smb_netlogon_init
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Initialization of the DC browser and LSA monitor threads.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns 0 on success, an error number if thread creation fails.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregoint
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmb_netlogon_init(void)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    pthread_attr_t tattr;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    int rc;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) pthread_attr_init(&tattr);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    rc = pthread_create(&lsa_monitor_thr, &tattr,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        smb_netlogon_lsa_monitor, 0);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (rc != 0)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        goto nli_exit;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    rc = pthread_create(&dc_browser_thr, &tattr,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        smb_netlogon_dc_browser, 0);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (rc != 0) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) pthread_cancel(lsa_monitor_thr);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) pthread_join(lsa_monitor_thr, NULL);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregonli_exit:
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) pthread_attr_destroy(&tattr);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    return (rc);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego}
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smb_netlogon_dc_browser
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * This is the DC browser thread: it gets woken up whenever someone
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * wants to locate a domain controller.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * With the introduction of Windows 2000, NetBIOS is no longer a
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * requirement for NT domains. If NetBIOS has been disabled on the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * network there will be no browsers and we won't get any response
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * to netlogon requests. So we try to find a DC controller via ADS
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * first. If ADS is disabled or the DNS query fails, we drop back
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * to the netlogon protocol.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * This function will block for up to 30 seconds waiting for the PDC
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * to be discovered. Sometime it would be good to change this to
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smb_locate_pdc and allow the caller to specify whether or not he
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * wants to wait for a response.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States/*ARGSUSED*/
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregostatic void *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregosmb_netlogon_dc_browser(void *arg)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego{
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    boolean_t rc;
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    char resource_domain[SMB_PI_MAX_DOMAIN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char dc[MAXHOSTNAMELEN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    for (;;) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) mutex_lock(&smb_netlogon_info.snli_locate_mtx);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        while ((smb_netlogon_info.snli_flags & SMB_NETLF_LOCATE_DC) ==
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            0) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) cond_wait(&smb_netlogon_info.snli_locate_cv,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                &smb_netlogon_info.snli_locate_mtx);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        (void) mutex_unlock(&smb_netlogon_info.snli_locate_mtx);
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        (void) strlcpy(resource_domain, smb_netlogon_info.snli_domain,
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States            SMB_PI_MAX_DOMAIN);
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        (void) strlcpy(dc, smb_netlogon_info.snli_dc, MAXHOSTNAMELEN);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        smb_setdomaininfo(NULL, NULL, 0);
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        if ((smb_msdcs_lookup_ads(resource_domain, dc) == 0) &&
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (nt4_domain_support)) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            /* Try to locate a DC via NetBIOS */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            smb_browser_netlogon(resource_domain);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        rc = smb_ntdomain_is_valid(SMB_NETLOGON_TIMEOUT);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) mutex_lock(&smb_netlogon_info.snli_locate_mtx);
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        smb_netlogon_info.snli_flags &= ~SMB_NETLF_LOCATE_DC;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) cond_broadcast(&smb_netlogon_info.snli_locate_cv);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) mutex_unlock(&smb_netlogon_info.snli_locate_mtx);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if (rc != B_TRUE) {
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States            /*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego             * Notify the LSA monitor to update the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw             * primary and trusted domain information.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw             */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) mutex_lock(&smb_netlogon_info.snli_query_mtx);
8d7e41661dc4633488e93b13363137523ce59977jose borrego            smb_netlogon_info.snli_flags |= SMB_NETLF_LSA_QUERY;
8d7e41661dc4633488e93b13363137523ce59977jose borrego            (void) cond_broadcast(&smb_netlogon_info.snli_query_cv);
8d7e41661dc4633488e93b13363137523ce59977jose borrego            (void) mutex_unlock(&smb_netlogon_info.snli_query_mtx);
8d7e41661dc4633488e93b13363137523ce59977jose borrego        }
8d7e41661dc4633488e93b13363137523ce59977jose borrego    }
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego    /*NOTREACHED*/
8d7e41661dc4633488e93b13363137523ce59977jose borrego    return (NULL);
8d7e41661dc4633488e93b13363137523ce59977jose borrego}
8d7e41661dc4633488e93b13363137523ce59977jose borrego
8d7e41661dc4633488e93b13363137523ce59977jose borrego/*
8d7e41661dc4633488e93b13363137523ce59977jose borrego * smb_netlogon_lsa_monitor
8d7e41661dc4633488e93b13363137523ce59977jose borrego *
8d7e41661dc4633488e93b13363137523ce59977jose borrego * This monitor should run as a separate thread. It waits on a condition
8d7e41661dc4633488e93b13363137523ce59977jose borrego * variable until someone indicates that the LSA domain information needs
8d7e41661dc4633488e93b13363137523ce59977jose borrego * to be refreshed. It then queries the DC for the NT domain information:
8d7e41661dc4633488e93b13363137523ce59977jose borrego * primary, account and trusted domains. The condition variable should be
8d7e41661dc4633488e93b13363137523ce59977jose borrego * signaled whenever a DC is selected.
8d7e41661dc4633488e93b13363137523ce59977jose borrego *
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Note that the LSA query calls require the DC information and this task
8d7e41661dc4633488e93b13363137523ce59977jose borrego * may end up blocked on the DC location protocol, which is why this
8d7e41661dc4633488e93b13363137523ce59977jose borrego * monitor is run as a separate thread. This should only happen if the DC
8d7e41661dc4633488e93b13363137523ce59977jose borrego * goes down immediately after we located it.
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States */
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States/*ARGSUSED*/
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United Statesstatic void *
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United Statessmb_netlogon_lsa_monitor(void *arg)
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States{
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    uint32_t status;
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    for (;;) {
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        (void) mutex_lock(&smb_netlogon_info.snli_query_mtx);
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        while ((smb_netlogon_info.snli_flags & SMB_NETLF_LSA_QUERY) ==
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            0) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) cond_wait(&smb_netlogon_info.snli_query_cv,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                &smb_netlogon_info.snli_query_mtx);
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        smb_netlogon_info.snli_flags &= ~SMB_NETLF_LSA_QUERY;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) mutex_unlock(&smb_netlogon_info.snli_query_mtx);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        /*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego         * Skip the LSA query if Authenticated IPC is supported
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego         * and the credential is not yet set.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego         */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if (smbrdr_ipc_skip_lsa_query() == 0) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            status = lsa_query_primary_domain_info();
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            if (status == NT_STATUS_SUCCESS) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                if (lsa_query_account_domain_info()
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                    != NT_STATUS_SUCCESS) {
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States                    syslog(LOG_DEBUG,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                        "NetlogonLSAMonitor: query "
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States                        "account info failed");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                if (lsa_enum_trusted_domains()
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                    != NT_STATUS_SUCCESS) {
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States                    syslog(LOG_DEBUG,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                        "NetlogonLSAMonitor: enum "
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States                        "trusted domain failed");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            } else {
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States                syslog(LOG_DEBUG,
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States                    "NetlogonLSAMonitor: update failed");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        }
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    /*NOTREACHED*/
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    return (NULL);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smb_set_netlogon_cred
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * If the system is joined to an AD domain via kclient, SMB daemon will need
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * to establish the NETLOGON credential chain.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Since the kclient has updated the machine password stored in SMF
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * repository, the cached ipc_info must be updated accordingly by calling
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smbrdr_ipc_commit.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Due to potential replication delays in a multiple DC environment, the
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * NETLOGON rpc request must be sent to the DC, to which the KPASSWD request
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * is sent. If the DC discovered by the SMB daemon is different than the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * kpasswd server, the current connection with the DC will be torn down
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and a DC discovery process will be triggered to locate the kpasswd
8d7e41661dc4633488e93b13363137523ce59977jose borrego * server.
8d7e41661dc4633488e93b13363137523ce59977jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * If joining a new domain, the domain_name property must be set after a
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * successful credential chain setup.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregovoid
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmb_set_netlogon_cred(void)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego{
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    smb_ntdomain_t *dp;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    smb_ntdomain_t domain_info;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char kpasswd_srv[MAXHOSTNAMELEN];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char kpasswd_domain[MAXHOSTNAMELEN];
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    char sam_acct[MLSVC_ACCOUNT_NAME_MAX];
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char *ipc_usr, *dom;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    boolean_t new_domain = B_FALSE;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (smb_match_netlogon_seqnum())
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) smb_config_getstr(SMB_CI_KPASSWD_SRV, kpasswd_srv,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        sizeof (kpasswd_srv));
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (*kpasswd_srv == '\0')
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        return;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    /*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * If the domain join initiated by smbadm join CLI is in
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw     * progress, don't do anything.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) smb_gethostname(sam_acct, MLSVC_ACCOUNT_NAME_MAX - 1, 0);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) strlcat(sam_acct, "$", MLSVC_ACCOUNT_NAME_MAX);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    ipc_usr = smbrdr_ipc_get_user();
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (strcasecmp(ipc_usr, sam_acct))
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        return;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if ((dp = smb_getdomaininfo(0)) == NULL) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        *domain_info.server = '\0';
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        (void) smb_getdomainname(domain_info.domain,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            sizeof (domain_info.domain));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        dp = &domain_info;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) smb_config_getstr(SMB_CI_KPASSWD_DOMAIN, kpasswd_domain,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        sizeof (kpasswd_domain));
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (*kpasswd_domain != '\0' &&
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        strncasecmp(kpasswd_domain, dp->domain, strlen(dp->domain))) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        dom = kpasswd_domain;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        new_domain = B_TRUE;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    } else {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        dom = dp->domain;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    /*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * DC discovery will be triggered if the domain info is not
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * currently cached or the SMB daemon has previously discovered a DC
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     * that is different than the kpasswd server.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego     */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (new_domain || strcasecmp(dp->server, kpasswd_srv) != 0) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if (*dp->server != '\0')
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            mlsvc_disconnect(dp->server);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if (!smbd_locate_dc(dom, kpasswd_srv))
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) smbd_locate_dc(dp->domain, "");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if ((dp = smb_getdomaininfo(0)) == NULL) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            smbrdr_ipc_commit();
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            return;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    smbrdr_ipc_commit();
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    if (mlsvc_netlogon(dp->server, dp->domain)) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        syslog(LOG_ERR, "NETLOGON credential chain establishment"
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            " failed");
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    } else {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego        if (new_domain) {
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) smb_config_setstr(SMB_CI_DOMAIN_NAME,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw                kpasswd_domain);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego            (void) smb_config_setstr(SMB_CI_KPASSWD_DOMAIN,
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego                "");
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    }
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego/*
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * smbd_locate_dc_thread()
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * If necessary, set up Netlogon credential chain and locate a
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * domain controller in the given resource domain.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego */
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregostatic void *
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borregosmbd_locate_dc_thread(void *arg)
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    char *resource_domain = (char *)arg;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    if (!smb_match_netlogon_seqnum())
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        smb_set_netlogon_cred();
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    else
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        (void) smbd_locate_dc(resource_domain, "");
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) lsa_query_primary_domain_info();
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    return (NULL);
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego}
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/*
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * smbd_locate_dc_start()
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw *
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Initialization of the locate dc thread.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Returns 0 on success, an error number if thread creation fails.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwint
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amwsmbd_locate_dc_start(char *resource_domain)
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego{
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    pthread_attr_t tattr;
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    int rc;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego    (void) pthread_attr_init(&tattr);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    rc = pthread_create(&locate_dc_thr, &tattr, smbd_locate_dc_thread,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw        resource_domain);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    (void) pthread_attr_destroy(&tattr);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw    return (rc);
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw}
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw