Print this page 
NEX-18708 Domain logons may get STATUS_ACCESS_DENIED
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-14666 Need to provide SMB 2.1 Client
NEX-17187 panic in smbfs_acl_store
NEX-17231 smbfs create xattr files finds wrong file
NEX-17224 smbfs lookup EINVAL should be ENOENT
NEX-17260 SMB1 client fails to list directory after NEX-14666
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Joyce McIntosh <joyce.mcintosh@nexenta.com>
and: (cleanup)
1575 untangle libmlrpc from SMB server
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
NEX-4083 Upstream changes from illumos 5917 and 5995
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-2667 Wrong error when join domain with wrong password
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
SUP-621 ... join AD domain, ... ACCESS_DENIED when trying to open \lsarpc
NEX-2225 Unable to join NexentaStor to 2008 AD
NEX-2286 smbadm join error messages are uninformative
NEX-1852 re-enable Kerberos-style AD join (try 2)
NEX-1638 Updated DC Locator
 Includes work by: matt.barden@nexenta.com, kevin.crowe@nexenta.com
SFR-56 Identity Management for UNIX (IDMU) authentication support
re #13190 rb4312 idmapd error -9961 (No AD servers)
re #12435 rb3958 r10 is added 2 times to panic info
re #12393 rb3935 Kerberos and smbd disagree about who is our AD server


   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25 
  26 /*
  27  * Utility functions to support the RPC interface library.
  28  */
  29 
  30 #include <stdio.h>
  31 #include <stdarg.h>
  32 #include <strings.h>
  33 #include <unistd.h>
  34 #include <netdb.h>
  35 #include <stdlib.h>
  36 #include <sys/time.h>
  37 #include <sys/systm.h>
  38 #include <note.h>
  39 #include <syslog.h>
  40 
  41 #include <smbsrv/libsmb.h>
  42 #include <smbsrv/libsmbns.h>
  43 #include <smbsrv/libmlsvc.h>
  44 #include <smbsrv/ntaccess.h>
  45 #include <smbsrv/smbinfo.h>
  46 #include <smbsrv/netrauth.h>
  47 #include <libsmbrdr.h>
  48 #include <lsalib.h>
  49 #include <samlib.h>
  50 #include <mlsvc.h>
  51 
  52 static DWORD
  53 mlsvc_join_rpc(smb_domainex_t *dxi,
  54         char *admin_user, char *admin_pw,
  55         char *machine_name, char *machine_pw);
  56 static DWORD
  57 mlsvc_join_noauth(smb_domainex_t *dxi,
  58         char *machine_name, char *machine_pw);
  59 
  60 



  61 DWORD
  62 mlsvc_netlogon(char *server, char *domain)
  63 {
  64         mlsvc_handle_t netr_handle;
  65         DWORD status;
  66 
  67         status = netr_open(server, domain, &netr_handle);
  68         if (status != 0) {
  69                 syslog(LOG_NOTICE, "Failed to connect to %s "
  70                     "for domain %s (%s)", server, domain,
  71                     xlate_nt_status(status));
  72                 return (status);
  73         }
  74 
  75         status = netlogon_auth(server, &netr_handle, NETR_FLG_INIT);
  76         if (status != NT_STATUS_SUCCESS) {
  77                 syslog(LOG_NOTICE, "Failed to establish NETLOGON "
  78                     "credential chain with DC: %s (%s)", server,
  79                     xlate_nt_status(status));
  80                 syslog(LOG_NOTICE, "The machine account information on the "
  81                     "domain controller does not match the local storage.");
  82                 syslog(LOG_NOTICE, "To correct this, use 'smbadm join'");
  83         }
  84         (void) netr_close(&netr_handle);
  85 
  86         return (status);
  87 }
  88 
  89 /*
  90  * Join the specified domain.  The method varies depending on whether
  91  * we're using "secure join" (using an administrative account to join)
  92  * or "unsecure join" (using a pre-created machine account).  In the
  93  * latter case, the machine account is created "by hand" before this
  94  * machine attempts to join, and we just change the password from the
  95  * (weak) default password for a new machine account to a random one.
  96  *
  97  * Returns NT status codes.
  98  */
  99 void
 100 mlsvc_join(smb_joininfo_t *info, smb_joinres_t *res)
 101 {
 102         static unsigned char zero_hash[SMBAUTH_HASH_SZ];
 103         char machine_name[SMB_SAMACCT_MAXLEN];
 104         char machine_pw[NETR_MACHINE_ACCT_PASSWD_MAX];


 407          * characters.
 408          */
 409         if (smb_gethostname(old_pw, sizeof (old_pw), SMB_CASE_LOWER) != 0)
 410                 return (NT_STATUS_INTERNAL_ERROR);
 411         old_pw[14] = '\0';
 412 
 413         status = netr_change_password(dxi->d_dci.dc_name, machine_name,
 414             old_pw, machine_pw);
 415         if (status != NT_STATUS_SUCCESS) {
 416                 syslog(LOG_NOTICE,
 417                     "Change machine account password: %s",
 418                     xlate_nt_status(status));
 419         }
 420         return (status);
 421 }
 422 
 423 void
 424 mlsvc_disconnect(const char *server)
 425 {
 426         smbrdr_disconnect(server);








































 427 }



   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25 
  26 /*
  27  * Utility functions to support the RPC interface library.
  28  */
  29 
  30 #include <stdio.h>
  31 #include <stdarg.h>
  32 #include <strings.h>
  33 #include <unistd.h>
  34 #include <netdb.h>
  35 #include <stdlib.h>
  36 #include <sys/time.h>
  37 #include <sys/systm.h>
  38 #include <note.h>
  39 #include <syslog.h>
  40 
  41 #include <smbsrv/libsmb.h>
  42 #include <smbsrv/libsmbns.h>
  43 #include <smbsrv/libmlsvc.h>
  44 #include <smb/ntaccess.h>
  45 #include <smbsrv/smbinfo.h>
  46 #include <smbsrv/netrauth.h>
  47 #include <libsmbrdr.h>
  48 #include <lsalib.h>
  49 #include <samlib.h>
  50 #include <mlsvc.h>
  51 
  52 static DWORD
  53 mlsvc_join_rpc(smb_domainex_t *dxi,
  54         char *admin_user, char *admin_pw,
  55         char *machine_name, char *machine_pw);
  56 static DWORD
  57 mlsvc_join_noauth(smb_domainex_t *dxi,
  58         char *machine_name, char *machine_pw);
  59 
  60 /*
  61  * This is called by smbd_dc_update just after we've learned about a
  62  * new domain controller.  Make sure we can authenticate with this DC.
  63  */
  64 DWORD
  65 mlsvc_netlogon(char *server, char *domain)
  66 {

  67         DWORD status;
  68 
  69         status = smb_netlogon_check(server, domain);








  70         if (status != NT_STATUS_SUCCESS) {
  71                 syslog(LOG_NOTICE, "Failed to establish NETLOGON "
  72                     "credential chain with DC: %s (%s)", server,
  73                     xlate_nt_status(status));
  74                 syslog(LOG_NOTICE, "The machine account information on the "
  75                     "domain controller does not match the local storage.");
  76                 syslog(LOG_NOTICE, "To correct this, use 'smbadm join'");
  77         }

  78 
  79         return (status);
  80 }
  81 
  82 /*
  83  * Join the specified domain.  The method varies depending on whether
  84  * we're using "secure join" (using an administrative account to join)
  85  * or "unsecure join" (using a pre-created machine account).  In the
  86  * latter case, the machine account is created "by hand" before this
  87  * machine attempts to join, and we just change the password from the
  88  * (weak) default password for a new machine account to a random one.
  89  *
  90  * Returns NT status codes.
  91  */
  92 void
  93 mlsvc_join(smb_joininfo_t *info, smb_joinres_t *res)
  94 {
  95         static unsigned char zero_hash[SMBAUTH_HASH_SZ];
  96         char machine_name[SMB_SAMACCT_MAXLEN];
  97         char machine_pw[NETR_MACHINE_ACCT_PASSWD_MAX];


 400          * characters.
 401          */
 402         if (smb_gethostname(old_pw, sizeof (old_pw), SMB_CASE_LOWER) != 0)
 403                 return (NT_STATUS_INTERNAL_ERROR);
 404         old_pw[14] = '\0';
 405 
 406         status = netr_change_password(dxi->d_dci.dc_name, machine_name,
 407             old_pw, machine_pw);
 408         if (status != NT_STATUS_SUCCESS) {
 409                 syslog(LOG_NOTICE,
 410                     "Change machine account password: %s",
 411                     xlate_nt_status(status));
 412         }
 413         return (status);
 414 }
 415 
 416 void
 417 mlsvc_disconnect(const char *server)
 418 {
 419         smbrdr_disconnect(server);
 420 }
 421 
 422 /*
 423  * A few more helper functions for RPC services.
 424  */
 425 
 426 /*
 427  * Check whether or not the specified user has administrator privileges,
 428  * i.e. is a member of Domain Admins or Administrators.
 429  * Returns true if the user is an administrator, otherwise returns false.
 430  */
 431 boolean_t
 432 ndr_is_admin(ndr_xa_t *xa)
 433 {
 434         smb_netuserinfo_t *ctx = xa->pipe->np_user;
 435 
 436         return (ctx->ui_flags & SMB_ATF_ADMIN);
 437 }
 438 
 439 /*
 440  * Check whether or not the specified user has power-user privileges,
 441  * i.e. is a member of Domain Admins, Administrators or Power Users.
 442  * This is typically required for operations such as managing shares.
 443  * Returns true if the user is a power user, otherwise returns false.
 444  */
 445 boolean_t
 446 ndr_is_poweruser(ndr_xa_t *xa)
 447 {
 448         smb_netuserinfo_t *ctx = xa->pipe->np_user;
 449 
 450         return ((ctx->ui_flags & SMB_ATF_ADMIN) ||
 451             (ctx->ui_flags & SMB_ATF_POWERUSER));
 452 }
 453 
 454 int32_t
 455 ndr_native_os(ndr_xa_t *xa)
 456 {
 457         smb_netuserinfo_t *ctx = xa->pipe->np_user;
 458 
 459         return (ctx->ui_native_os);
 460 }