big-one Udiff usr/src/lib/smbsrv/libmlsvc/common/mlsvc

Print this page

NEX-18708 Domain logons may get STATUS_ACCESS_DENIED
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-14666 Need to provide SMB 2.1 Client
NEX-17187 panic in smbfs_acl_store
NEX-17231 smbfs create xattr files finds wrong file
NEX-17224 smbfs lookup EINVAL should be ENOENT
NEX-17260 SMB1 client fails to list directory after NEX-14666
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Joyce McIntosh <joyce.mcintosh@nexenta.com>
and: (cleanup)
1575 untangle libmlrpc from SMB server
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
NEX-4083 Upstream changes from illumos 5917 and 5995
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-2667 Wrong error when join domain with wrong password
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
SUP-621 ... join AD domain, ... ACCESS_DENIED when trying to open \lsarpc
NEX-2225 Unable to join NexentaStor to 2008 AD
NEX-2286 smbadm join error messages are uninformative
NEX-1852 re-enable Kerberos-style AD join (try 2)
NEX-1638 Updated DC Locator
 Includes work by: matt.barden@nexenta.com, kevin.crowe@nexenta.com
SFR-56 Identity Management for UNIX (IDMU) authentication support
re #13190 rb4312 idmapd error -9961 (No AD servers)
re #12435 rb3958 r10 is added 2 times to panic info
re #12393 rb3935 Kerberos and smbd disagree about who is our AD server

@@ -18,11 +18,11 @@
  *
  * CDDL HEADER END
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  */
 
 /*
  * Utility functions to support the RPC interface library.
  */

@@ -39,11 +39,11 @@
 #include <syslog.h>
 
 #include <smbsrv/libsmb.h>
 #include <smbsrv/libsmbns.h>
 #include <smbsrv/libmlsvc.h>
-#include <smbsrv/ntaccess.h>
+#include <smb/ntaccess.h>
 #include <smbsrv/smbinfo.h>
 #include <smbsrv/netrauth.h>
 #include <libsmbrdr.h>
 #include <lsalib.h>
 #include <samlib.h>

@@ -55,35 +55,28 @@
         char *machine_name, char *machine_pw);
 static DWORD
 mlsvc_join_noauth(smb_domainex_t *dxi,
         char *machine_name, char *machine_pw);
 
-
+/*
+ * This is called by smbd_dc_update just after we've learned about a
+ * new domain controller.  Make sure we can authenticate with this DC.
+ */
 DWORD
 mlsvc_netlogon(char *server, char *domain)
 {
-        mlsvc_handle_t netr_handle;
         DWORD status;
 
-        status = netr_open(server, domain, &netr_handle);
-        if (status != 0) {
-                syslog(LOG_NOTICE, "Failed to connect to %s "
-                    "for domain %s (%s)", server, domain,
-                    xlate_nt_status(status));
-                return (status);
-        }
-
-        status = netlogon_auth(server, &netr_handle, NETR_FLG_INIT);
+        status = smb_netlogon_check(server, domain);
         if (status != NT_STATUS_SUCCESS) {
                 syslog(LOG_NOTICE, "Failed to establish NETLOGON "
                     "credential chain with DC: %s (%s)", server,
                     xlate_nt_status(status));
                 syslog(LOG_NOTICE, "The machine account information on the "
                     "domain controller does not match the local storage.");
                 syslog(LOG_NOTICE, "To correct this, use 'smbadm join'");
         }
-        (void) netr_close(&netr_handle);
 
         return (status);
 }
 
 /*

@@ -422,6 +415,46 @@
 
 void
 mlsvc_disconnect(const char *server)
 {
         smbrdr_disconnect(server);
+}
+
+/*
+ * A few more helper functions for RPC services.
+ */
+
+/*
+ * Check whether or not the specified user has administrator privileges,
+ * i.e. is a member of Domain Admins or Administrators.
+ * Returns true if the user is an administrator, otherwise returns false.
+ */
+boolean_t
+ndr_is_admin(ndr_xa_t *xa)
+{
+        smb_netuserinfo_t *ctx = xa->pipe->np_user;
+
+        return (ctx->ui_flags & SMB_ATF_ADMIN);
+}
+
+/*
+ * Check whether or not the specified user has power-user privileges,
+ * i.e. is a member of Domain Admins, Administrators or Power Users.
+ * This is typically required for operations such as managing shares.
+ * Returns true if the user is a power user, otherwise returns false.
+ */
+boolean_t
+ndr_is_poweruser(ndr_xa_t *xa)
+{
+        smb_netuserinfo_t *ctx = xa->pipe->np_user;
+
+        return ((ctx->ui_flags & SMB_ATF_ADMIN) ||
+            (ctx->ui_flags & SMB_ATF_POWERUSER));
+}
+
+int32_t
+ndr_native_os(ndr_xa_t *xa)
+{
+        smb_netuserinfo_t *ctx = xa->pipe->np_user;
+
+        return (ctx->ui_native_os);
 }