smb_session_setup_andx.c revision b819cea2f73f98c5662230cc9affc8cc84f77fcf
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2013 Nexenta Systems, Inc. All rights reserved.
*/
#include <sys/priv_names.h>
#include <smbsrv/smb_idmap.h>
#include <smbsrv/smb_kproto.h>
#include <smbsrv/smb_token.h>
#ifdef _KERNEL
#endif /* _KERNEL */
/*
* In NTLM 0.12, the padding between the Native OS and Native LM is a bit
* strange. On NT4.0, there is a 2 byte pad between the OS (Windows NT 1381)
* and LM (Windows NT 4.0). On Windows 2000, there is no padding between
* the OS (Windows 2000 2195) and LM (Windows 2000 5.0).
* If the padding is removed from the decode string the NT4.0 LM comes out
* as an empty string. So if the client's native OS is Win NT we consider
* the padding otherwise we don't.
*
* For Pre-NTLM 0.12, despite the CIFS/1.0 spec, the user and domain are
* not always present in the message. We try to get the account name and
* the primary domain but we don't care about the the native OS or native
* LM fields.
*
* If the Native LM cannot be determined, default to Windows NT.
*/
{
char *native_os;
char *native_lm;
int rc = 0;
if (rc != 0)
sr,
&sinfo->ssi_domain,
&native_os);
if (rc != 0)
else
native_lm = "NT LAN Manager 4.0";
} else {
if (rc != 0)
if (rc != 0)
native_lm = "NT LAN Manager 4.0";
}
}
void
{
}
/*
* If signing has not already been enabled on this session check to see if
* it should be enabled. The first authenticated logon provides the MAC
* key and sequence numbers for signing all subsequent sessions on the same
* connection.
*
* NT systems use different native OS and native LanMan values dependent on
* whether they are acting as a client or a server. NT 4.0 server responds
* with the following values:
*
* NativeOS: Windows NT 4.0
* NativeLM: NT LAN Manager 4.0
*/
{
int rc;
return (SDRC_ERROR);
if (!smb_oplock_levelII)
3,
-1, /* andx_off */
sr,
}
static int
{
int rc;
return (-1);
}
return (rc);
}
/*
* Authenticate a user. If the user has already been authenticated on
* this session, we can simply dup the user and return.
*
* Otherwise, the user information is passed to smbd for authentication.
* If smbd can authenticate the user an access token is returned and we
* generate a cred and new user based on the token.
*/
static int
{
char *p;
(sinfo->ssi_cspwlen == 0) &&
(sinfo->ssi_cipwlen == 0 ||
} else {
}
/*
* Handle user@domain format. We need to retain the original
* data as this is important in some forms of authentication.
*/
*p = '\0';
}
}
/*
* If no domain name has been provided in domain mode we cannot
* determine if this is a local user or a domain user without
* obtaining an access token. So we postpone the lookup until
* after authentication.
*/
if (security == SMB_SECMODE_WORKGRP) {
} else {
}
return (0);
}
return (-1);
}
if (need_lookup) {
return (0);
}
}
return (-1);
}
/*
* Save the session key, and (maybe) enable signing,
* but only for real logon (not ANON or GUEST).
*/
return (-1);
}
return (0);
}
#ifdef _KERNEL
/*
* Allocate a Solaris cred and initialize it based on the access token.
*
* If the user can be mapped to a non-ephemeral ID, the cred gid is set
* to the Solaris user's primary group.
*
* If the mapped UID is ephemeral, or the primary group could not be
* obtained, the cred gid is set to whatever Solaris group is mapped
* to the token's primary group.
*/
cred_t *
{
(posix_grps->pg_ngrps != 0)) {
} else {
}
return (NULL);
}
return (NULL);
}
/*
* In the AD world, "take ownership privilege" is very much
* like having Unix "root" privileges. It's normally given
* to members of the "Administrators" group, which normally
* includes the the local Administrator (like root) and when
* joined to a domain, "Domain Admins".
*/
NULL);
}
return (cr);
}
/*
* Initialize the ksid based on the given smb_id_t.
*/
static void
{
char sidstr[SMB_SID_STRSZ];
int rc;
}
/*
* Allocate and initialize the ksidlist based on the access token group list.
*/
static ksidlist_t *
{
int i;
ksidlist_t *lp;
}
return (lp);
}
#endif /* _KERNEL */
/*
* Convert access token privileges to local definitions.
*/
static uint32_t
{
uint32_t privileges = 0;
return (privileges);
}