smb_token.h revision a90cf9f29973990687fa61de9f1f6ea22e924e40
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
#ifndef _SMB_TOKEN_H
#define _SMB_TOKEN_H
#include <smbsrv/smb_inet.h>
#include <smbsrv/smb_privilege.h>
#include <smbsrv/smb_sid.h>
/*
* Don't want <smbsrv/netrauth.h> in here, but
* uts/common/fs/smbsrv/smb_authenticate.c
* wants this. Todo: cleanup
*/
#define NETR_NETWORK_LOGON 0x02
#ifdef __cplusplus
extern "C" {
#endif
/*
* 32-bit opaque buffer (non-null terminated strings)
* See also: smb_buf32_xdr()
*/
typedef struct smb_buf32 {
uint32_t len;
uint8_t *val;
} smb_buf32_t;
/*
* Access Token
*
* An access token identifies a user, the user's privileges and the
* list of groups of which the user is a member. This information is
* used when access is requested to an object by comparing this
* information with the DACL in the object's security descriptor.
*
* There should be one unique token per user per session per client.
*
* Access Token Flags
*
* SMB_ATF_GUEST Token belongs to guest user
* SMB_ATF_ANON Token belongs to anonymous user
* and it's only good for IPC Connection.
* SMB_ATF_POWERUSER Token belongs to a Power User member
* SMB_ATF_BACKUPOP Token belongs to a Power User member
* SMB_ATF_ADMIN Token belongs to a Domain Admins member
*/
#define SMB_ATF_GUEST 0x00000001
#define SMB_ATF_ANON 0x00000002
#define SMB_ATF_POWERUSER 0x00000004
#define SMB_ATF_BACKUPOP 0x00000008
#define SMB_ATF_ADMIN 0x00000010
#define SMB_POSIX_GRPS_SIZE(n) \
(sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
/*
* It consists of the primary and supplementary POSIX groups.
* See also: smb_posix_grps_xdr()
*/
typedef struct smb_posix_grps {
uint32_t pg_ngrps;
gid_t pg_grps[ANY_SIZE_ARRAY];
} smb_posix_grps_t;
/*
* An NT-style logon "token" (NT terminology)
* See also: smb_token_xdr()
*/
typedef struct smb_token {
smb_id_t tkn_user;
smb_id_t tkn_owner;
smb_id_t tkn_primary_grp;
smb_ids_t tkn_win_grps;
smb_privset_t *tkn_privileges;
char *tkn_account_name;
char *tkn_domain_name;
uint32_t tkn_flags;
uint32_t tkn_audit_sid;
smb_buf32_t tkn_ssnkey;
smb_posix_grps_t *tkn_posix_grps;
} smb_token_t;
/*
* Details required to authenticate a user.
* See also: smb_logon_xdr()
*/
typedef struct smb_logon {
uint16_t lg_level;
char *lg_username; /* requested username */
char *lg_domain; /* requested domain */
char *lg_e_username; /* effective username */
char *lg_e_domain; /* effective domain */
char *lg_workstation;
smb_inaddr_t lg_clnt_ipaddr;
smb_inaddr_t lg_local_ipaddr;
uint16_t lg_local_port;
smb_buf32_t lg_challenge_key;
smb_buf32_t lg_nt_password;
smb_buf32_t lg_lm_password;
uint32_t lg_ntlm_flags;
int lg_native_os;
int lg_native_lm;
uint32_t lg_flags;
uint32_t lg_logon_id; /* filled in user space */
uint32_t lg_domain_type; /* filled in user space */
uint32_t lg_secmode; /* filled in user space */
uint32_t lg_status; /* filled in user space */
} smb_logon_t;
/*
* This is the name of the local (AF_UNIX) socket
* where the SMB auth. service listens.
*/
#define SMB_AUTHSVC_SOCKNAME "/var/smb/lipc/smbauth"
/*
* Maximum number of authentcation conversations at one time.
* Note this is _NOT_ the max. number of logged on users,
* which can be much larger.
*/
#define SMB_AUTHSVC_MAXTHREAD 256
/*
* Messages to and from the local security authority
* Type codes:
*/
typedef enum smb_lsa_mtype {
/* reply types */
LSA_MTYPE_OK = 0,
LSA_MTYPE_ERROR,
LSA_MTYPE_ES_DONE, /* ext. sec: authenticated */
LSA_MTYPE_ES_CONT, /* more processing required */
LSA_MTYPE_TOKEN, /* smb_token_t */
/* request types */
LSA_MTYPE_OLDREQ, /* non-ext. sec. session setup */
LSA_MTYPE_CLINFO, /* client info sent at start of ES */
LSA_MTYPE_ESFIRST, /* spnego initial message */
LSA_MTYPE_ESNEXT, /* spnego continuation */
LSA_MTYPE_GETTOK /* after ES auth, get token */
} smb_lsa_mtype_t;
/*
* msg: header common to all message types
*/
typedef struct smb_lsa_msg_hdr {
uint32_t lmh_msgtype; /* smb_lsa_mtype_t */
uint32_t lmh_msglen; /* size of what follows */
} smb_lsa_msg_hdr_t;
/*
* eresp: error response
* msgtype: LSA_MTYPE_ERESP
*/
typedef struct smb_lsa_eresp {
uint32_t ler_ntstatus;
uint16_t ler_errclass;
uint16_t ler_errcode;
} smb_lsa_eresp_t;
/*
* Message for LSA_MTYPE_CLINFO
*/
typedef struct smb_lsa_clinfo {
smb_inaddr_t lci_clnt_ipaddr;
unsigned char lci_challenge_key[8];
int lci_native_os;
int lci_native_lm;
} smb_lsa_clinfo_t;
struct XDR;
int smb_logon_xdr(struct XDR *, smb_logon_t *);
int smb_token_xdr(struct XDR *, smb_token_t *);
#if defined(_KERNEL) || defined(_FAKE_KERNEL)
void smb_token_free(smb_token_t *);
#else /* _KERNEL */
smb_token_t *smb_logon(smb_logon_t *);
void smb_logon_abort(void);
void smb_token_destroy(smb_token_t *);
uint8_t *smb_token_encode(smb_token_t *, uint32_t *);
void smb_token_log(smb_token_t *);
smb_logon_t *smb_logon_decode(uint8_t *, uint32_t);
void smb_logon_free(smb_logon_t *);
#endif /* _KERNEL */
int smb_token_query_privilege(smb_token_t *token, int priv_id);
boolean_t smb_token_valid(smb_token_t *);
#ifdef __cplusplus
}
#endif
#endif /* _SMB_TOKEN_H */