smbd_join.c revision b89a8333f5e1f75ec0c269b22524bd2eccb972ba
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <syslog.h>
#include <synch.h>
#include <pthread.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <sys/errno.h>
#include <smbsrv/libsmb.h>
#include <smbsrv/libsmbrdr.h>
#include <smbsrv/libsmbns.h>
#include <smbsrv/libmlsvc.h>
#include <smbsrv/smbinfo.h>
#include <smbsrv/ntstatus.h>
#include <smbsrv/lsalib.h>
/*
* Maximum time to wait for a domain controller (30 seconds).
*/
#define SMB_NETLOGON_TIMEOUT 30
/*
* Flags used in conjunction with the location and query condition
* variables.
*/
#define SMB_NETLF_LOCATE_DC 0x00000001
#define SMB_NETLF_LSA_QUERY 0x00000002
typedef struct smb_netlogon_info {
char snli_domain[SMB_PI_MAX_DOMAIN];
char snli_dc[MAXHOSTNAMELEN];
unsigned snli_flags;
mutex_t snli_locate_mtx;
cond_t snli_locate_cv;
mutex_t snli_query_mtx;
cond_t snli_query_cv;
uint32_t snli_status;
} smb_netlogon_info_t;
static smb_netlogon_info_t smb_netlogon_info;
/* NT4 domain support is not yet available. */
static boolean_t nt4_domain_support = B_FALSE;
static pthread_t lsa_monitor_thr;
static pthread_t dc_browser_thr;
static pthread_t locate_dc_thr;
static void *smb_netlogon_lsa_monitor(void *arg);
static void *smb_netlogon_dc_browser(void *arg);
/*
* Inline convenience function to find out if the domain information is
* valid. The caller can decide whether or not to wait.
*/
static boolean_t
smb_ntdomain_is_valid(uint32_t timeout)
{
smb_ntdomain_t *info;
if ((info = smb_getdomaininfo(timeout)) != 0) {
if (info->ipaddr != 0)
return (B_TRUE);
}
return (B_FALSE);
}
/*
* Retrieve the kpasswd server from krb5.conf.
*/
static int
smbd_get_kpasswd_srv(char *srv, size_t len)
{
FILE *fp;
static char buf[512];
char *p;
*srv = '\0';
p = getenv("KRB5_CONFIG");
if (p == NULL || *p == '\0')
p = "/etc/krb5/krb5.conf";
if ((fp = fopen(p, "r")) == NULL)
return (-1);
while (fgets(buf, sizeof (buf), fp)) {
/* Weed out any comment text */
(void) trim_whitespace(buf);
if (*buf == '#')
continue;
if ((p = strstr(buf, "kpasswd_server")) != NULL) {
if ((p = strchr(p, '=')) != NULL) {
(void) trim_whitespace(++p);
(void) strlcpy(srv, p, len);
}
break;
}
}
(void) fclose(fp);
return ((*srv == '\0') ? -1 : 0);
}
/*
* smbd_join
*
* Joins the specified domain/workgroup
*/
uint32_t
smbd_join(smb_joininfo_t *info)
{
smb_ntdomain_t *pi;
uint32_t status;
unsigned char passwd_hash[SMBAUTH_HASH_SZ];
char plain_passwd[SMB_PASSWD_MAXLEN + 1];
char plain_user[SMB_USERNAME_MAXLEN + 1];
char nbt_domain[SMB_PI_MAX_DOMAIN];
char fqdn[MAXHOSTNAMELEN];
char dc[MAXHOSTNAMELEN];
char kpasswd_domain[MAXHOSTNAMELEN];
(void) smb_config_getstr(SMB_CI_KPASSWD_DOMAIN, kpasswd_domain,
MAXHOSTNAMELEN);
dssetup_clear_domain_info();
if (info->mode == SMB_SECMODE_WORKGRP) {
if ((smb_config_get_secmode() == SMB_SECMODE_DOMAIN) &&
kpasswd_domain == '\0') {
if (smb_ads_domain_change_cleanup("") != 0) {
syslog(LOG_ERR, "smbd: unable to remove the"
" old keys from the Kerberos keytab. "
"Please remove the old keys for your "
"host principal.");
}
}
(void) smb_config_getstr(SMB_CI_DOMAIN_NAME, nbt_domain,
sizeof (nbt_domain));
(void) smb_config_set_secmode(info->mode);
(void) smb_config_setstr(SMB_CI_DOMAIN_NAME, info->domain_name);
if (strcasecmp(nbt_domain, info->domain_name))
smb_browser_reconfig();
return (NT_STATUS_SUCCESS);
}
/*
* Ensure that any previous membership of this domain has
* been cleared from the environment before we start. This
* will ensure that we don't attempt a NETLOGON_SAMLOGON
* when attempting to find the PDC.
*/
(void) smb_config_setbool(SMB_CI_DOMAIN_MEMB, B_FALSE);
(void) strlcpy(plain_user, info->domain_username, sizeof (plain_user));
(void) strlcpy(plain_passwd, info->domain_passwd,
sizeof (plain_passwd));
(void) smb_resolve_netbiosname(info->domain_name, nbt_domain,
sizeof (nbt_domain));
if (smb_resolve_fqdn(info->domain_name, fqdn, sizeof (fqdn)) != 1) {
syslog(LOG_ERR, "smbd: fully-qualified domain name is unknown");
return (NT_STATUS_INVALID_PARAMETER);
}
if (smb_ads_domain_change_cleanup(fqdn)) {
syslog(LOG_ERR, "smbd: unable to remove the old keys from the"
" Kerberos keytab. Please remove the old keys for your "
"host principal.");
return (NT_STATUS_INTERNAL_ERROR);
}
if (smb_auth_ntlm_hash(plain_passwd, passwd_hash) != SMBAUTH_SUCCESS) {
status = NT_STATUS_INTERNAL_ERROR;
syslog(LOG_ERR, "smbd: could not compute ntlm hash for '%s'",
plain_user);
return (status);
}
smbrdr_ipc_set(plain_user, passwd_hash);
(void) smbd_get_kpasswd_srv(dc, sizeof (dc));
if (smbd_locate_dc(nbt_domain, dc)) {
if ((pi = smb_getdomaininfo(0)) == 0) {
status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
if (*dc == '\0')
syslog(LOG_ERR, "smbd: could not get domain "
"controller information for '%s'",
info->domain_name);
else
syslog(LOG_ERR, "smbd: could not get the "
"specified domain controller information "
"'%s'", dc);
return (status);
}
/*
* Temporary delay before creating
* the workstation trust account.
*/
(void) sleep(2);
status = mlsvc_join(pi->server, pi->domain,
plain_user, plain_passwd);
if (status == NT_STATUS_SUCCESS) {
(void) smb_config_set_secmode(SMB_SECMODE_DOMAIN);
(void) smb_config_setstr(SMB_CI_DOMAIN_NAME,
info->domain_name);
smbrdr_ipc_commit();
return (status);
}
smbrdr_ipc_rollback();
syslog(LOG_ERR, "smbd: failed joining %s (%s)",
info->domain_name, xlate_nt_status(status));
return (status);
}
smbrdr_ipc_rollback();
syslog(LOG_ERR, "smbd: failed locating domain controller for %s",
info->domain_name);
return (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
}
/*
* smbd_locate_dc
*
* This is the entry point for discovering a domain controller for the
* specified domain. The caller may block here for around 30 seconds if
* the system has to go to the network and find a domain controller.
* Sometime it would be good to change this to smb_locate_pdc and allow
* the caller to specify whether or not he wants to wait for a response.
*
* The actual work of discovering a DC is handled by other threads.
* All we do here is signal the request and wait for a DC or a timeout.
*
* domain - domain to be discovered
* dc - preferred DC. If the preferred DC is set to empty string, it
* will attempt to discover any DC in the specified domain.
*
* Returns B_TRUE if a domain controller is available.
*/
boolean_t
smbd_locate_dc(char *domain, char *dc)
{
int rc;
timestruc_t to;
if (domain == NULL || *domain == '\0')
return (B_FALSE);
(void) mutex_lock(&smb_netlogon_info.snli_locate_mtx);
if ((smb_netlogon_info.snli_flags & SMB_NETLF_LOCATE_DC) == 0) {
smb_netlogon_info.snli_flags |= SMB_NETLF_LOCATE_DC;
(void) strlcpy(smb_netlogon_info.snli_domain, domain,
SMB_PI_MAX_DOMAIN);
(void) strlcpy(smb_netlogon_info.snli_dc, dc,
MAXHOSTNAMELEN);
(void) cond_broadcast(&smb_netlogon_info.snli_locate_cv);
}
while (smb_netlogon_info.snli_flags & SMB_NETLF_LOCATE_DC) {
to.tv_sec = SMB_NETLOGON_TIMEOUT;
to.tv_nsec = 0;
rc = cond_reltimedwait(&smb_netlogon_info.snli_locate_cv,
&smb_netlogon_info.snli_locate_mtx, &to);
if (rc == ETIME)
break;
}
(void) mutex_unlock(&smb_netlogon_info.snli_locate_mtx);
return (smb_ntdomain_is_valid(0));
}
/*
* smb_netlogon_init
*
* Initialization of the DC browser and LSA monitor threads.
* Returns 0 on success, an error number if thread creation fails.
*/
int
smb_netlogon_init(void)
{
pthread_attr_t tattr;
int rc;
(void) pthread_attr_init(&tattr);
(void) pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED);
rc = pthread_create(&lsa_monitor_thr, &tattr,
smb_netlogon_lsa_monitor, 0);
if (rc != 0)
goto nli_exit;
rc = pthread_create(&dc_browser_thr, &tattr,
smb_netlogon_dc_browser, 0);
if (rc != 0) {
(void) pthread_cancel(lsa_monitor_thr);
(void) pthread_join(lsa_monitor_thr, NULL);
}
nli_exit:
(void) pthread_attr_destroy(&tattr);
return (rc);
}
/*
* smb_netlogon_dc_browser
*
* This is the DC browser thread: it gets woken up whenever someone
* wants to locate a domain controller.
*
* With the introduction of Windows 2000, NetBIOS is no longer a
* requirement for NT domains. If NetBIOS has been disabled on the
* network there will be no browsers and we won't get any response
* to netlogon requests. So we try to find a DC controller via ADS
* first. If ADS is disabled or the DNS query fails, we drop back
* to the netlogon protocol.
*
* This function will block for up to 30 seconds waiting for the PDC
* to be discovered. Sometime it would be good to change this to
* smb_locate_pdc and allow the caller to specify whether or not he
* wants to wait for a response.
*
*/
/*ARGSUSED*/
static void *
smb_netlogon_dc_browser(void *arg)
{
boolean_t rc;
char resource_domain[SMB_PI_MAX_DOMAIN];
char dc[MAXHOSTNAMELEN];
for (;;) {
(void) mutex_lock(&smb_netlogon_info.snli_locate_mtx);
while ((smb_netlogon_info.snli_flags & SMB_NETLF_LOCATE_DC) ==
0) {
(void) cond_wait(&smb_netlogon_info.snli_locate_cv,
&smb_netlogon_info.snli_locate_mtx);
}
(void) mutex_unlock(&smb_netlogon_info.snli_locate_mtx);
(void) strlcpy(resource_domain, smb_netlogon_info.snli_domain,
SMB_PI_MAX_DOMAIN);
(void) strlcpy(dc, smb_netlogon_info.snli_dc, MAXHOSTNAMELEN);
smb_setdomaininfo(NULL, NULL, 0);
if ((smb_msdcs_lookup_ads(resource_domain, dc) == 0) &&
(nt4_domain_support)) {
/* Try to locate a DC via NetBIOS */
smb_browser_netlogon(resource_domain);
}
rc = smb_ntdomain_is_valid(SMB_NETLOGON_TIMEOUT);
(void) mutex_lock(&smb_netlogon_info.snli_locate_mtx);
smb_netlogon_info.snli_flags &= ~SMB_NETLF_LOCATE_DC;
(void) cond_broadcast(&smb_netlogon_info.snli_locate_cv);
(void) mutex_unlock(&smb_netlogon_info.snli_locate_mtx);
if (rc != B_TRUE) {
/*
* Notify the LSA monitor to update the
* primary and trusted domain information.
*/
(void) mutex_lock(&smb_netlogon_info.snli_query_mtx);
smb_netlogon_info.snli_flags |= SMB_NETLF_LSA_QUERY;
(void) cond_broadcast(&smb_netlogon_info.snli_query_cv);
(void) mutex_unlock(&smb_netlogon_info.snli_query_mtx);
}
}
/*NOTREACHED*/
return (NULL);
}
/*
* smb_netlogon_lsa_monitor
*
* This monitor should run as a separate thread. It waits on a condition
* variable until someone indicates that the LSA domain information needs
* to be refreshed. It then queries the DC for the NT domain information:
* primary, account and trusted domains. The condition variable should be
* signaled whenever a DC is selected.
*
* Note that the LSA query calls require the DC information and this task
* may end up blocked on the DC location protocol, which is why this
* monitor is run as a separate thread. This should only happen if the DC
* goes down immediately after we located it.
*/
/*ARGSUSED*/
static void *
smb_netlogon_lsa_monitor(void *arg)
{
uint32_t status;
for (;;) {
(void) mutex_lock(&smb_netlogon_info.snli_query_mtx);
while ((smb_netlogon_info.snli_flags & SMB_NETLF_LSA_QUERY) ==
0) {
(void) cond_wait(&smb_netlogon_info.snli_query_cv,
&smb_netlogon_info.snli_query_mtx);
}
smb_netlogon_info.snli_flags &= ~SMB_NETLF_LSA_QUERY;
(void) mutex_unlock(&smb_netlogon_info.snli_query_mtx);
/*
* Skip the LSA query if Authenticated IPC is supported
* and the credential is not yet set.
*/
if (smbrdr_ipc_skip_lsa_query() == 0) {
status = lsa_query_primary_domain_info();
if (status == NT_STATUS_SUCCESS) {
if (lsa_query_account_domain_info()
!= NT_STATUS_SUCCESS) {
syslog(LOG_DEBUG,
"NetlogonLSAMonitor: query "
"account info failed");
}
if (lsa_enum_trusted_domains()
!= NT_STATUS_SUCCESS) {
syslog(LOG_DEBUG,
"NetlogonLSAMonitor: enum "
"trusted domain failed");
}
} else {
syslog(LOG_DEBUG,
"NetlogonLSAMonitor: update failed");
}
}
}
/*NOTREACHED*/
return (NULL);
}
/*
* smb_set_netlogon_cred
*
* If the system is joined to an AD domain via kclient, SMB daemon will need
* to establish the NETLOGON credential chain.
*
* Since the kclient has updated the machine password stored in SMF
* repository, the cached ipc_info must be updated accordingly by calling
* smbrdr_ipc_commit.
*
* Due to potential replication delays in a multiple DC environment, the
* NETLOGON rpc request must be sent to the DC, to which the KPASSWD request
* is sent. If the DC discovered by the SMB daemon is different than the
* kpasswd server, the current connection with the DC will be torn down
* and a DC discovery process will be triggered to locate the kpasswd
* server.
*
* If joining a new domain, the domain_name property must be set after a
* successful credential chain setup.
*/
void
smb_set_netlogon_cred(void)
{
smb_ntdomain_t *dp;
smb_ntdomain_t domain_info;
char kpasswd_srv[MAXHOSTNAMELEN];
char kpasswd_domain[MAXHOSTNAMELEN];
char sam_acct[SMB_SAMACCT_MAXLEN];
char *ipc_usr, *dom;
boolean_t new_domain = B_FALSE;
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
return;
if (smb_match_netlogon_seqnum())
return;
(void) smb_config_getstr(SMB_CI_KPASSWD_SRV, kpasswd_srv,
sizeof (kpasswd_srv));
if (*kpasswd_srv == '\0')
return;
/*
* If the domain join initiated by smbadm join CLI is in
* progress, don't do anything.
*/
(void) smb_getsamaccount(sam_acct, sizeof (sam_acct));
ipc_usr = smbrdr_ipc_get_user();
if (strcasecmp(ipc_usr, sam_acct))
return;
if ((dp = smb_getdomaininfo(0)) == NULL) {
*domain_info.server = '\0';
(void) smb_getdomainname(domain_info.domain,
sizeof (domain_info.domain));
dp = &domain_info;
}
(void) smb_config_getstr(SMB_CI_KPASSWD_DOMAIN, kpasswd_domain,
sizeof (kpasswd_domain));
if (*kpasswd_domain != '\0' &&
strncasecmp(kpasswd_domain, dp->domain, strlen(dp->domain))) {
dom = kpasswd_domain;
new_domain = B_TRUE;
} else {
dom = dp->domain;
}
/*
* DC discovery will be triggered if the domain info is not
* currently cached or the SMB daemon has previously discovered a DC
* that is different than the kpasswd server.
*/
if (new_domain || strcasecmp(dp->server, kpasswd_srv) != 0) {
if (*dp->server != '\0')
mlsvc_disconnect(dp->server);
if (!smbd_locate_dc(dom, kpasswd_srv))
(void) smbd_locate_dc(dp->domain, "");
if ((dp = smb_getdomaininfo(0)) == NULL) {
smbrdr_ipc_commit();
return;
}
}
smbrdr_ipc_commit();
if (mlsvc_netlogon(dp->server, dp->domain)) {
syslog(LOG_ERR, "NETLOGON credential chain establishment"
" failed");
} else {
if (new_domain) {
(void) smb_config_setstr(SMB_CI_DOMAIN_NAME,
kpasswd_domain);
(void) smb_config_setstr(SMB_CI_KPASSWD_DOMAIN,
"");
}
}
}
/*
* smbd_locate_dc_thread()
*
* If necessary, set up Netlogon credential chain and locate a
* domain controller in the given resource domain.
*/
static void *
smbd_locate_dc_thread(void *arg)
{
char *resource_domain = (char *)arg;
if (!smb_match_netlogon_seqnum())
smb_set_netlogon_cred();
else
(void) smbd_locate_dc(resource_domain, "");
(void) lsa_query_primary_domain_info();
return (NULL);
}
/*
* smbd_locate_dc_start()
*
* Initialization of the locate dc thread.
* Returns 0 on success, an error number if thread creation fails.
*/
int
smbd_locate_dc_start(char *resource_domain)
{
pthread_attr_t tattr;
int rc;
(void) pthread_attr_init(&tattr);
(void) pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED);
rc = pthread_create(&locate_dc_thr, &tattr, smbd_locate_dc_thread,
resource_domain);
(void) pthread_attr_destroy(&tattr);
return (rc);
}