smb_logon.c revision bbf6f00c25b6a2bed23c35eac6d62998ecdb338c
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Security database interface.
*/
#include <unistd.h>
#include <strings.h>
#include <pwd.h>
#include <grp.h>
#include <time.h>
#include <syslog.h>
#include <assert.h>
#include <synch.h>
#include <smbsrv/libmlsvc.h>
#include <smbsrv/smb_token.h>
#include <lsalib.h>
static smb_account_t smb_guest;
static smb_account_t smb_domusers;
static rwlock_t smb_logoninit_rwl;
smb_passwd_t *);
static void smb_guest_account(char *, size_t);
/* Consolidation private function from Network Repository */
extern int _getgroupsbymember(const char *, gid_t[], int, int);
static idmap_stat
{
int i;
return (IDMAP_ERR_ARG);
} else {
/* User SID */
if (stat != IDMAP_SUCCESS)
return (stat);
/* Owner SID */
if (stat != IDMAP_SUCCESS)
return (stat);
}
/* Primary Group SID */
if (stat != IDMAP_SUCCESS)
return (stat);
/* Other Windows Group SIDs */
if (stat != IDMAP_SUCCESS)
break;
}
return (stat);
}
/*
* smb_token_sids2ids
*
*
* Returns 0 upon success. Otherwise, returns -1.
*/
static int
{
/*
* Number of idmap lookups: user SID, owner SID, primary group SID,
*/
else
do {
if (stat != IDMAP_SUCCESS)
return (-1);
if (stat != IDMAP_SUCCESS) {
return (-1);
}
if (stat == IDMAP_ERR_RPC_HANDLE)
if (smb_idmap_restart() < 0)
break;
}
/*
* smb_token_create_pxgrps
*
* Setup the POSIX group membership of the access token if the given UID is
* a POSIX UID (non-ephemeral). Both the user's primary group and
* supplementary groups will be added to the POSIX group array of the access
* token.
*/
static smb_posix_grps_t *
{
int ngroups_max, num;
return (NULL);
}
return (NULL);
return (pgrps);
}
return (NULL);
return (pgrps);
}
return (NULL);
}
/*
* Setup the groups starting at index 1 (the last arg)
* of gids array.
*/
if (num == -1) {
"to get user's supplementary groups");
num = 1;
}
if (pgrps) {
}
return (pgrps);
}
/*
* smb_token_destroy
*
* Release all of the memory associated with a token structure. Ensure
* that the token has been unlinked before calling.
*/
void
{
}
}
/*
* Token owner should be set to local Administrators group
* in two cases:
* 1. The logged on user is a member of Domain Admins group
*/
static void
{
#ifdef SMB_SUPPORT_GROUP_OWNER
} else {
}
#endif
}
static smb_privset_t *
{
int rc;
privs = smb_privset_new();
return (NULL);
return (NULL);
}
smb_lgrp_free(&grp);
}
if (rc == SMB_LGRP_SUCCESS) {
smb_lgrp_free(&grp);
}
/*
*/
}
return (privs);
}
static void
{
}
/*
* Common token setup for both local and domain users.
* This function must be called after the initial setup
* has been done.
*
* Note that the order of calls in this function are important.
*/
static uint32_t
{
return (NT_STATUS_NO_MEMORY);
/* Privileges */
return (NT_STATUS_NO_MEMORY);
if (smb_token_sids2ids(token) != 0) {
return (NT_STATUS_INTERNAL_ERROR);
}
/* Solaris Groups */
return (NT_STATUS_SUCCESS);
}
smb_logon_init(void)
{
(void) rw_wrlock(&smb_logoninit_rwl);
if (status != NT_STATUS_SUCCESS) {
(void) rw_unlock(&smb_logoninit_rwl);
return (status);
}
&smb_domusers);
if (status != NT_STATUS_SUCCESS) {
(void) rw_unlock(&smb_logoninit_rwl);
return (status);
}
(void) rw_unlock(&smb_logoninit_rwl);
return (status);
}
void
smb_logon_fini(void)
{
(void) rw_wrlock(&smb_logoninit_rwl);
(void) rw_unlock(&smb_logoninit_rwl);
}
/*
* smb_logon
*
* Performs user authentication and creates a token if the
* authentication is successful.
*
* Returns pointer to the created token.
*/
{
return (NULL);
}
if (status == NT_STATUS_INVALID_LOGON_TYPE) {
if (status != NT_STATUS_SUCCESS) {
if ((status == NT_STATUS_INVALID_LOGON_TYPE) ||
}
if (status == NT_STATUS_NO_SUCH_USER)
}
if (status == NT_STATUS_SUCCESS) {
return (token);
}
return (NULL);
}
/*
* smb_logon_domain
*
* Performs pass through authentication with PDC.
*/
static uint32_t
{
if (status == NT_STATUS_CANT_ACCESS_DOMAIN_INFO) {
return (status);
}
}
}
return (status);
}
/*
* smb_logon_local
*
* Check to see if connected user has an entry in the local
* smbpasswd database. If it has, tries both LM hash and NT
* hash with user's password(s) to authenticate the user.
*/
static uint32_t
{
char guest[SMB_USERNAME_MAXLEN];
/* Make sure this is not a domain user */
if (smb_config_get_secmode() == SMB_SECMODE_DOMAIN) {
return (NT_STATUS_INVALID_LOGON_TYPE);
}
}
if (status == NT_STATUS_SUCCESS) {
if (isguest)
else
}
return (status);
}
/*
* If there's a local guest account with password or if
* guest is mapped to a local account with password then
* it should be authenticated
*/
static uint32_t
{
char guest[SMB_USERNAME_MAXLEN];
char *temp;
if ((status == NT_STATUS_SUCCESS) ||
(status == NT_STATUS_NO_SUCH_USER)) {
}
return (status);
}
/*
* If 'clnt' represents an anonymous user (no password)
* then setup the token accordingly, otherwise return
* NT_STATUS_INVALID_LOGON_TYPE
*/
static uint32_t
{
return (smb_token_setup_anon(token));
}
return (NT_STATUS_INVALID_LOGON_TYPE);
}
static uint32_t
{
return (NT_STATUS_NO_SUCH_USER);
return (NT_STATUS_ACCOUNT_DISABLED);
}
return (NT_STATUS_NO_MEMORY);
}
}
return (status);
}
/*
* Setup an access token for the specified local user.
*/
static uint32_t
{
char pwbuf[1024];
char nbname[NETBIOS_NAME_SZ];
return (NT_STATUS_NO_MEMORY);
return (NT_STATUS_NO_SUCH_USER);
/* Get the SID for user's uid & gid */
if (stat != IDMAP_SUCCESS)
return (NT_STATUS_INTERNAL_ERROR);
if (stat != IDMAP_SUCCESS) {
return (NT_STATUS_INTERNAL_ERROR);
}
if (stat != IDMAP_SUCCESS) {
return (NT_STATUS_INTERNAL_ERROR);
}
return (NT_STATUS_INTERNAL_ERROR);
return (NT_STATUS_NO_MEMORY);
return (smb_token_setup_wingrps(token));
}
/*
* Setup access token for guest connections
*/
static uint32_t
{
(void) rw_rdlock(&smb_logoninit_rwl);
(void) rw_unlock(&smb_logoninit_rwl);
return (NT_STATUS_NO_MEMORY);
return (smb_token_setup_wingrps(token));
}
/*
* Setup access token for anonymous connections
*/
static uint32_t
{
return (NT_STATUS_NO_MEMORY);
return (smb_token_setup_wingrps(token));
}
/*
* smb_token_user_sid
*
* Return a pointer to the user SID in the specified token. A null
* pointer indicates an error.
*/
static smb_sid_t *
{
}
/*
* smb_token_group_sid
*
* Return a pointer to the group SID as indicated by the iterator.
* Setting the iterator to 0 before calling this function will return
* the first group, which will always be the primary group. The
* iterator will be incremented before returning the SID so that this
* function can be used to cycle through the groups. The caller can
* adjust the iterator as required between calls to obtain any specific
* group.
*
* On success a pointer to the appropriate group SID will be returned.
* Otherwise a null pointer will be returned.
*/
static smb_sid_t *
{
int index;
return (NULL);
return (NULL);
return (NULL);
++(*iterator);
}
/*
* smb_token_is_member
*
* This function will determine whether or not the specified SID is a
* member of a token. The user SID and all group SIDs are tested.
* Returns 1 if the SID is a member of the token. Otherwise returns 0.
*/
static boolean_t
{
int iterator = 0;
return (B_FALSE);
while (tsid) {
return (B_TRUE);
}
return (B_FALSE);
}
/*
* smb_token_log
*
* Diagnostic routine to write the contents of a token to the log.
*/
void
{
char sidstr[SMB_SID_STRSZ];
int i;
return;
" Grp[%d].Sid: %s (id=%u)", i, sidstr,
}
}
} else {
}
if (x_grps) {
} else {
}
if (token->tkn_privileges)
else
}
/*
* Sets up local and well-known group membership for the given
* token. Two assumptions have been made here:
*
* a) token already contains a valid user SID so that group
* memberships can be established
*
* b) token belongs to a local or anonymous user
*/
static uint32_t
{
/*
* We always want the user's primary group in the list
* of groups.
*/
return (NT_STATUS_NO_MEMORY);
return (NT_STATUS_NO_MEMORY);
}
if (status != NT_STATUS_SUCCESS) {
return (status);
}
if (status != NT_STATUS_SUCCESS) {
return (status);
}
return (status);
}
/*
* Returns the guest account name in the provided buffer.
*
* By default the name would be "guest" unless there's
* a idmap name-based rule which maps the guest to a local
* Solaris user in which case the name of that user is
* returned.
*/
static void
{
char pwbuf[1024];
int idtype;
/* default Guest account name */
(void) rw_rdlock(&smb_logoninit_rwl);
(void) rw_unlock(&smb_logoninit_rwl);
if (stat != IDMAP_SUCCESS)
return;
/* Ephemeral ID, return the default name */
return;
return;
}