smbd_join.c revision fd9ee8b58485b20072eeef1310a88ff348d5e7fa
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER START
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * The contents of this file are subject to the terms of the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * Common Development and Distribution License (the "License").
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You may not use this file except in compliance with the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * See the License for the specific language governing permissions
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * and limitations under the License.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * CDDL HEADER END
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh#define SMBD_DC_MONITOR_RETRY_INTERVAL 3 /* seconds */
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh#define SMBD_DC_MONITOR_INTERVAL 60 /* seconds */
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintoshstatic void *smbd_dc_monitor(void *);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintoshstatic void smbd_dc_update(void);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintoshstatic boolean_t smbd_set_netlogon_cred(void);
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic int smbd_get_kpasswd_srv(char *, size_t);
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic uint32_t smbd_join_workgroup(smb_joininfo_t *);
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic uint32_t smbd_join_domain(smb_joininfo_t *);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh * Launch the DC discovery and monitor thread.
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (void) smb_config_getstr(SMB_CI_ADS_SITE, smbd.s_site,
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (void) smb_config_getip(SMB_CI_DOMAIN_SRV, &smbd.s_pdc);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh (void) pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh rc = pthread_create(&smbd.s_dc_monitor_tid, &attr, smbd_dc_monitor,
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (void) smb_config_getstr(SMB_CI_ADS_SITE, site, MAXHOSTNAMELEN);
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (void) smb_config_getip(SMB_CI_DOMAIN_SRV, &pdc);
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh if ((bcmp(&smbd.s_pdc, &pdc, sizeof (smb_inaddr_t)) != 0) ||
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (smb_strcasecmp(smbd.s_site, site, 0) != 0)) {
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh bcopy(&pdc, &smbd.s_pdc, sizeof (smb_inaddr_t));
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (void) strlcpy(smbd.s_site, site, MAXHOSTNAMELEN);
fd9ee8b58485b20072eeef1310a88ff348d5e7fajoyce mcintosh (void) cond_reltimedwait(&smbd_dc_cv, &smbd_dc_mutex, &delay);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh for (i = 0; i < SMBD_DC_MONITOR_ATTEMPTS; ++i) {
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh (void) sleep(SMBD_DC_MONITOR_RETRY_INTERVAL);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh "smbd_dc_monitor: domain service not responding");
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh * Locate a domain controller in the current resource domain and Update
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh * the Netlogon credential chain.
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh * The domain configuration will be updated upon successful DC discovery.
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh if (smb_getfqdomainname(domain, MAXHOSTNAMELEN) != 0) {
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh (void) smb_getdomainname(domain, MAXHOSTNAMELEN);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh "smbd_dc_update: %s: locate failed", domain);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh "smbd_dc_update: %s: located %s", domain, info.d_dc);
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh * Restart required because the domain changed
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh * or the credential chain setup failed.
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh "smbd_dc_update: %s: smb/server restart required");
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh "restart failed: run 'svcs -xv smb/server'"
1fdeec650620e8498c06f832ea4bd2292f7e9632joyce mcintosh " for more information");
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw * smbd_join
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Joins the specified domain/workgroup.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * If the security mode or domain name is being changed,
8d7e41661dc4633488e93b13363137523ce59977jose borrego * the caller must restart the service.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * smbd_set_netlogon_cred
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * If the system is joined to an AD domain via kclient, SMB daemon will need
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * to establish the NETLOGON credential chain.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * Since the kclient has updated the machine password stored in SMF
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * repository, the cached ipc_info must be updated accordingly by calling
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright * smb_ipc_commit.
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * Due to potential replication delays in a multiple DC environment, the
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * NETLOGON rpc request must be sent to the DC, to which the KPASSWD request
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * is sent. If the DC discovered by the SMB daemon is different than the
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * kpasswd server, the current connection with the DC will be torn down
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * and a DC discovery process will be triggered to locate the kpasswd
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * If joining a new domain, the domain_name property must be set after a
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * successful credential chain setup.
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States char sam_acct[SMB_SAMACCT_MAXLEN];
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb (void) smb_config_getstr(SMB_CI_KPASSWD_SRV, kpasswd_srv,
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * If the domain join initiated by smbadm join CLI is in
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * progress, don't do anything.
b89a8333f5e1f75ec0c269b22524bd2eccb972banatalie li - Sun Microsystems - Irvine United States (void) smb_getsamaccount(sam_acct, sizeof (sam_acct));
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright (void) smb_getfqdomainname(di->di_fqname, MAXHOSTNAMELEN);
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb (void) smb_config_getstr(SMB_CI_KPASSWD_DOMAIN, kpasswd_domain,
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown smb_strcasecmp(kpasswd_domain, di->di_fqname, 0)) {
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * DC discovery will be triggered if the domain info is not
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * currently cached or the SMB daemon has previously discovered a DC
faa1795a28a5c712eed6d0a3f84d98c368a316c6jb * that is different than the kpasswd server.
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown if (new_domain || smb_strcasecmp(dxi.d_dc, kpasswd_srv, 0) != 0) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego "failed to establish NETLOGON credential chain");
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright smb_config_setdomaininfo(di->di_nbname, di->di_fqname,
8d7e41661dc4633488e93b13363137523ce59977jose borrego (void) smb_config_setstr(SMB_CI_KPASSWD_DOMAIN, "");
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Retrieve the kpasswd server from krb5.conf.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Initialization of the locate dc thread.
c8ec8eea9849cac239663c46be8a7f5d2ba7ca00jose borrego * Returns 0 on success, an error number if thread creation fails.
8d7e41661dc4633488e93b13363137523ce59977jose borrego return (-1);
8d7e41661dc4633488e93b13363137523ce59977jose borrego /* Weed out any comment text */
8d7e41661dc4633488e93b13363137523ce59977jose borrego if ((p = strstr(buf, "kpasswd_server")) != NULL) {
8d7e41661dc4633488e93b13363137523ce59977jose borrego (void) smb_config_getstr(SMB_CI_DOMAIN_NAME, nb_domain,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright smb_config_setdomaininfo(info->domain_name, "", "", "", "");
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Ensure that any previous membership of this domain has
8d7e41661dc4633488e93b13363137523ce59977jose borrego * been cleared from the environment before we start. This
8d7e41661dc4633488e93b13363137523ce59977jose borrego * will ensure that we don't attempt a NETLOGON_SAMLOGON
8d7e41661dc4633488e93b13363137523ce59977jose borrego * when attempting to find the PDC.
8d7e41661dc4633488e93b13363137523ce59977jose borrego (void) smb_config_setbool(SMB_CI_DOMAIN_MEMB, B_FALSE);
8d7e41661dc4633488e93b13363137523ce59977jose borrego if (smb_auth_ntlm_hash(info->domain_passwd, passwd_hash)
8d7e41661dc4633488e93b13363137523ce59977jose borrego syslog(LOG_ERR, "smbd: could not compute ntlm hash for '%s'",
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright smb_ipc_set(info->domain_username, passwd_hash);
8d7e41661dc4633488e93b13363137523ce59977jose borrego /* info->domain_name could either be NetBIOS domain name or FQDN */
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright if (smb_locate_dc(info->domain_name, dc, &dxi)) {
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright status = mlsvc_join(&dxi, info->domain_username,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright smb_config_setdomaininfo(di->di_nbname, di->di_fqname,
8d7e41661dc4633488e93b13363137523ce59977jose borrego syslog(LOG_ERR, "smbd: failed joining %s (%s)",
8d7e41661dc4633488e93b13363137523ce59977jose borrego syslog(LOG_ERR, "smbd: failed locating domain controller for %s",