8d7e41661dc4633488e93b13363137523ce59977jose borrego * CDDL HEADER START
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The contents of this file are subject to the terms of the
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Common Development and Distribution License (the "License").
8d7e41661dc4633488e93b13363137523ce59977jose borrego * You may not use this file except in compliance with the License.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
8d7e41661dc4633488e93b13363137523ce59977jose borrego * See the License for the specific language governing permissions
8d7e41661dc4633488e93b13363137523ce59977jose borrego * and limitations under the License.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * When distributing Covered Code, include this CDDL HEADER in each
8d7e41661dc4633488e93b13363137523ce59977jose borrego * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * If applicable, add the following below this CDDL HEADER, with the
8d7e41661dc4633488e93b13363137523ce59977jose borrego * fields enclosed by brackets "[]" replaced with your own identifying
8d7e41661dc4633488e93b13363137523ce59977jose borrego * information: Portions Copyright [yyyy] [name of copyright owner]
8d7e41661dc4633488e93b13363137523ce59977jose borrego * CDDL HEADER END
148c5f43199ca0b43fc8e3b643aab11cd66ea327Alan Wright * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * DC Locator
8d7e41661dc4633488e93b13363137523ce59977jose borrego#define SMB_IS_FQDN(domain) (strchr(domain, '.') != NULL)
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightstatic void *smb_ddiscover_service(void *);
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightstatic uint32_t smb_ddiscover_qinfo(char *, char *, smb_domainex_t *);
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightstatic void smb_ddiscover_enum_trusted(char *, char *, smb_domainex_t *);
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightstatic uint32_t smb_ddiscover_use_config(char *, smb_domainex_t *);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Rossstatic void smb_set_krb5_realm(char *);
8d7e41661dc4633488e93b13363137523ce59977jose borrego * ===================================================================
8d7e41661dc4633488e93b13363137523ce59977jose borrego * API to initialize DC locator thread, trigger DC discovery, and
8d7e41661dc4633488e93b13363137523ce59977jose borrego * get the discovered DC and/or domain information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * ===================================================================
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Initialization of the DC locator thread.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Returns 0 on success, an error number if thread creation fails.
8d7e41661dc4633488e93b13363137523ce59977jose borrego (void) pthread_attr_setdetachstate(&tattr, PTHREAD_CREATE_DETACHED);
8d7e41661dc4633488e93b13363137523ce59977jose borrego rc = pthread_create(&smb_dclocator_thr, &tattr,
8d7e41661dc4633488e93b13363137523ce59977jose borrego * This is the entry point for discovering a domain controller for the
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * specified domain. Called during join domain, and then periodically
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * by smbd_dc_update (the "DC monitor" thread).
8d7e41661dc4633488e93b13363137523ce59977jose borrego * The actual work of discovering a DC is handled by DC locator thread.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * All we do here is signal the request and wait for a DC or a timeout.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Input parameters:
8d7e41661dc4633488e93b13363137523ce59977jose borrego * domain - domain to be discovered (can either be NetBIOS or DNS domain)
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Output parameter:
8d7e41661dc4633488e93b13363137523ce59977jose borrego * dp - on success, dp will be filled with the discovered DC and domain
8d7e41661dc4633488e93b13363137523ce59977jose borrego * information.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * Returns B_TRUE if the DC/domain info is available.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross (void) strlcpy(smb_dclocator.sdl_domain, domain,
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_locate_dc new dom=%s", domain);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Tell the domain discovery service to run again now,
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * and assume changed configuration (i.e. a new DC).
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Like the first part of smb_locate_dc().
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Note: This is called from the service refresh handler
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * and the door handler to tell the ddiscover thread to
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * request the new DC from idmap. Therefore, we must not
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * trigger a new idmap discovery run from here, or that
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * would start a ping-pong match.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross/* ARGSUSED */
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_refresh set cfg changed");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Called by our client-side threads after they fail to connect to
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * the DC given to them by smb_locate_dc(). This is often called
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * after some delay, because the connection timeout delays these
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * threads for a while, so it's quite common that the DC locator
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * service has already started looking for a new DC. These late
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * notifications should not continually restart the DC locator.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_bad_dc, cur=%s, bad=%s",
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross if (strcmp(smb_dclocator.sdl_dci.dc_name, bad_dc)) {
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * The "bad" DC is no longer the current one.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Probably a late "bad DC" report.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross /* Someone already marked the current DC as "bad". */
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_bad_dc repeat");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Mark the current DC as "bad" and let the DC Locator
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * run again if it's not already.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_INFO, "smb_ddiscover, bad DC: %s", bad_dc);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross /* In-line smb_ddiscover_kick */
380acbbe9da7dc2cbab5b6db169ec6968dd927faGordon Ross * If domain discovery is running, wait for it to finish.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * ==========================================================
8d7e41661dc4633488e93b13363137523ce59977jose borrego * DC discovery functions
8d7e41661dc4633488e93b13363137523ce59977jose borrego * ==========================================================
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright * This is the domain and DC discovery service: it gets woken up whenever
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright * there is need to locate a domain controller.
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright * Upon success, the SMB domain cache will be populated with the discovered
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright * DC and domain info.
8d7e41661dc4633488e93b13363137523ce59977jose borregostatic void *
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Wait to be signaled for work by one of:
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * smb_locate_dc(), smb_ddiscover_refresh(),
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * smb_ddiscover_bad_dc()
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_service waiting");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross sdl->sdl_status = NT_STATUS_INVALID_SERVER_STATE;
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross "not a domain member");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Want to know if these change below.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Note: mutex held here
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Need to clear the current DC name or
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * ddiscover_bad_dc will keep setting bad_dc
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_service running "
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross "cfg_chg=%d bad_dc=%d", (int)cfg_chg, (int)bad_dc);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Clear the cached DC now so that we'll ask idmap again.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * If our current DC gave us errors, force rediscovery.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Search for the DC, save the result.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross status = smb_ddiscover_main(sdl->sdl_domain, &dxi);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Run again if either of cfg_chg or bad_dc
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * was turned on during smb_ddiscover_main().
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Note: mutex held here.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross "restart because bad_dc was set");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross "restart because cfg_chg was set");
8d7e41661dc4633488e93b13363137523ce59977jose borrego /*NOTREACHED*/
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Discovers a domain controller for the specified domain via DNS.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * After the domain controller is discovered successfully primary and
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * trusted domain infromation will be queried using RPC queries.
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * Caller should zero out *dxi before calling, and after a
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross * successful return should call: smb_domain_save()
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Rosssmb_ddiscover_main(char *domain, smb_domainex_t *dxi)
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_main NULL domain");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross if (smb_domain_start_update() != SMB_DOMAIN_SUCCESS) {
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_main can't get lock");
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross status = smb_ads_lookup_msdcs(domain, &dxi->d_dci);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross syslog(LOG_DEBUG, "smb_ddiscover_main can't find DC (%s)",
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross status = smb_ddiscover_qinfo(domain, dxi->d_dci.dc_name, dxi);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross "smb_ddiscover_main can't get domain info (%s)",
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross /* Don't need the trusted domain list anymore. */
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright * Obtain primary and trusted domain information using LSA queries.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * domain - either NetBIOS or fully-qualified domain name
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightsmb_ddiscover_qinfo(char *domain, char *server, smb_domainex_t *dxi)
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross /* If we must return failure, use this first one. */
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross ret = lsa_query_dns_domain_info(server, domain, &dxi->d_primary);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross tmp = lsa_query_primary_domain_info(server, domain, &dxi->d_primary);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross /* All of the above failed. */
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross smb_ddiscover_enum_trusted(domain, server, dxi);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright * Obtain trusted domains information using LSA queries.
8d7e41661dc4633488e93b13363137523ce59977jose borrego * domain - either NetBIOS or fully-qualified domain name.
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightsmb_ddiscover_enum_trusted(char *domain, char *server, smb_domainex_t *dxi)
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright status = lsa_enum_trusted_domains_ex(server, domain, list);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright (void) lsa_enum_trusted_domains(server, domain, list);
8d7e41661dc4633488e93b13363137523ce59977jose borrego * If the domain to be discovered matches the current domain (i.e the
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright * value of either domain or fqdn configuration), then get the primary
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wright * domain information from SMF.
a0aa776e20803c84edd153d9cb584fd67163aef3Alan Wrightsmb_ddiscover_use_config(char *domain, smb_domainex_t *dxi)
8d7e41661dc4633488e93b13363137523ce59977jose borrego if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright smb_config_getdomaininfo(dinfo->di_nbname, dinfo->di_fqname,
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown use = (smb_strcasecmp(dinfo->di_fqname, domain, 0) == 0);
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown use = (smb_strcasecmp(dinfo->di_nbname, domain, 0) == 0);
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright smb_config_getdomaininfo(NULL, NULL, dinfo->di_sid,
29bd28862cfb8abbd3a0f0a4b17e08bbc3652836Alan Wright return ((use) ? NT_STATUS_SUCCESS : NT_STATUS_UNSUCCESSFUL);
b3700b074e637f8c6991b70754c88a2cfffb246bGordon Ross /* In case krb5.conf is not configured, set the default realm. */