1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 /*
27 * Authentication support for SMB session setup
28 */
29
30 #include <sys/types.h>
31 #include <sys/sid.h>
32 #include <sys/priv_names.h>
33 #include <sys/socket.h>
34 #include <sys/un.h>
35 #include <netinet/in.h>
36 #include <smbsrv/smb_idmap.h>
37 #include <smbsrv/smb_kproto.h>
38 #include <smbsrv/smb_token.h>
39
40 static uint32_t smb_authsock_open(smb_user_t *);
41 static int smb_authsock_send(ksocket_t, void *, size_t);
42 static int smb_authsock_recv(ksocket_t, void *, size_t);
43 static uint32_t smb_authsock_sendrecv(smb_user_t *, smb_lsa_msg_hdr_t *hdr,
44 void *sndbuf, void **recvbuf);
45 /* void smb_authsock_close(smb_user_t *); kproto.h */
46
47 static uint32_t smb_auth_do_clinfo(smb_request_t *);
48 static uint32_t smb_auth_do_oldreq(smb_request_t *);
49 static uint32_t smb_auth_get_token(smb_request_t *);
50 static uint32_t smb_priv_xlate(smb_token_t *);
51
52 /*
53 * Handle old-style session setup (non-extended security)
54 *
55 * The user information is passed to smbd for authentication.
56 * If smbd can authenticate the user an access token is returned and we
57 * generate a cred and new user based on the token.
58 */
59 int
60 smb_authenticate_old(smb_request_t *sr)
61 {
62 smb_user_t *user = NULL;
63 uint32_t status;
64
65 user = smb_user_new(sr->session);
66 if (user == NULL)
67 return (NT_STATUS_TOO_MANY_SESSIONS);
68
69 /* user cleanup in smb_request_free */
70 sr->uid_user = user;
71 sr->smb_uid = user->u_uid;
72
73 /*
74 * Open a connection to the local logon service.
75 * If we can't, it may be busy, or not running.
76 * Don't log here - this may be frequent.
77 */
78 if ((status = smb_authsock_open(user)) != 0)
79 goto errout;
80
81 /*
82 * Tell the auth. svc who this client is.
83 */
84 if ((status = smb_auth_do_clinfo(sr)) != 0)
85 goto errout;
86
87 /*
88 * Authentication proper
89 */
90 if ((status = smb_auth_do_oldreq(sr)) != 0)
91 goto errout;
92
93 /*
94 * Get the final auth. token.
95 */
96 if ((status = smb_auth_get_token(sr)) != 0)
97 goto errout;
98
99 return (0);
100
101 errout:
102 smb_user_logoff(user);
103 return (status);
104 }
105
106 /*
107 * Build an authentication request message and
108 * send it to the local logon service.
109 */
110 static uint32_t
111 smb_auth_do_oldreq(smb_request_t *sr)
112 {
113 smb_lsa_msg_hdr_t msg_hdr;
114 smb_logon_t user_info;
115 XDR xdrs;
116 smb_arg_sessionsetup_t *sinfo = sr->sr_ssetup;
117 smb_user_t *user = sr->uid_user;
118 void *sbuf = NULL;
119 void *rbuf = NULL;
120 uint32_t slen = 0;
121 uint32_t rlen = 0;
122 uint32_t status;
123 bool_t ok;
124
125 bzero(&user_info, sizeof (smb_logon_t));
126
127 user_info.lg_level = NETR_NETWORK_LOGON;
128 user_info.lg_username = sinfo->ssi_user;
129 user_info.lg_domain = sinfo->ssi_domain;
130 user_info.lg_workstation = sr->session->workstation;
131 user_info.lg_clnt_ipaddr = sr->session->ipaddr;
132 user_info.lg_local_ipaddr = sr->session->local_ipaddr;
133 user_info.lg_local_port = sr->session->s_local_port;
134 user_info.lg_challenge_key.val = sr->session->challenge_key;
135 user_info.lg_challenge_key.len = sr->session->challenge_len;
136 user_info.lg_nt_password.val = sinfo->ssi_ntpwd;
137 user_info.lg_nt_password.len = sinfo->ssi_ntpwlen;
138 user_info.lg_lm_password.val = sinfo->ssi_lmpwd;
139 user_info.lg_lm_password.len = sinfo->ssi_lmpwlen;
140 user_info.lg_native_os = sr->session->native_os;
141 user_info.lg_native_lm = sr->session->native_lm;
142 /* lg_flags? */
143
144 slen = xdr_sizeof(smb_logon_xdr, &user_info);
145 sbuf = kmem_alloc(slen, KM_SLEEP);
146 xdrmem_create(&xdrs, sbuf, slen, XDR_ENCODE);
147 ok = smb_logon_xdr(&xdrs, &user_info);
148 xdr_destroy(&xdrs);
149 if (!ok) {
150 status = RPC_NT_BAD_STUB_DATA;
151 goto out;
152 }
153
154 msg_hdr.lmh_msgtype = LSA_MTYPE_OLDREQ;
155 msg_hdr.lmh_msglen = slen;
156 status = smb_authsock_sendrecv(user, &msg_hdr, sbuf, &rbuf);
157 if (status != 0)
158 goto out;
159 rlen = msg_hdr.lmh_msglen;
160 kmem_free(sbuf, slen);
161 sbuf = NULL;
162
163 /*
164 * Decode the response message.
165 */
166 switch (msg_hdr.lmh_msgtype) {
167
168 case LSA_MTYPE_OK:
169 status = 0;
170 break;
171
172 case LSA_MTYPE_ERROR:
173 if (rlen == sizeof (smb_lsa_eresp_t)) {
174 smb_lsa_eresp_t *ler = rbuf;
175 status = ler->ler_ntstatus;
176 break;
177 }
178 /* FALLTHROUGH */
179
180 default: /* Bogus message type */
181 status = NT_STATUS_INTERNAL_ERROR;
182 break;
183 }
184
185 out:
186 if (rbuf != NULL)
187 kmem_free(rbuf, rlen);
188 if (sbuf != NULL)
189 kmem_free(sbuf, slen);
190
191 return (status);
192 }
193
194 /*
195 * Handle new-style (extended security) session setup.
196 * Returns zero: success, non-zero: error (value not used)
197 *
198 * Note that this style uses a sequence of session setup requests,
199 * where the first has SMB UID=0, and subsequent requests in the
200 * same authentication sequence have the SMB UID returned for that
201 * first request. We allocate a USER object when the first request
202 * in the sequence arrives (SMB_USER_STATE_LOGGING_ON) and use that
203 * to maintain state between requests in this sequence. The state
204 * for one sequence includes an AF_UNIX "authsock" connection to the
205 * user-space smbd. The neat part of this is: in smbd, the handler
206 * for the server-side of one authsock gets only request specific to
207 * one authentication sequence, simplifying it's work immensely.
208 * When the authentication sequence is finished, with either success
209 * or failure, the local side of the authsock is closed.
210 *
211 * As with the old-style authentication, if we succeed, then the
212 * last message from smbd will be an smb_token_t encoding the
213 * information about the new user.
214 *
215 * Outline:
216 * (a) On the first request (UID==0) create a USER object,
217 * and on subsequent requests, find USER by SMB UID.
218 * (b) Send message / recv. response as above,
219 * (c) If response says "we're done", close authsock
220 * (both success and failure must close authsock)
221 */
222 int
223 smb_authenticate_ext(smb_request_t *sr)
224 {
225 smb_lsa_msg_hdr_t msg_hdr;
226 smb_arg_sessionsetup_t *sinfo = sr->sr_ssetup;
227 smb_user_t *user = NULL;
228 void *rbuf = NULL;
229 uint32_t rlen = 0;
230 uint32_t status;
231
232 ASSERT(sr->uid_user == NULL);
233
234 /*
235 * On the first request (UID==0) create a USER object.
236 * On subsequent requests (UID!=0) find the USER object.
237 * Either way, sr->uid_user is set, so our ref. on the
238 * user object is dropped during normal cleanup work
239 * for the smb_request (sr). Ditto u_authsock.
240 */
241 if (sr->smb_uid == 0) {
242 user = smb_user_new(sr->session);
243 if (user == NULL)
244 return (NT_STATUS_TOO_MANY_SESSIONS);
245
246 /* user cleanup in smb_request_free */
247 sr->uid_user = user;
248 sr->smb_uid = user->u_uid;
249
250 /*
251 * Open a connection to the local logon service.
252 * If we can't, it may be busy, or not running.
253 * Don't log here - this may be frequent.
254 */
255 if ((status = smb_authsock_open(user)) != 0)
256 goto errout;
257
258 /*
259 * Tell the auth. svc who this client is.
260 */
261 if ((status = smb_auth_do_clinfo(sr)) != 0)
262 goto errout;
263
264 msg_hdr.lmh_msgtype = LSA_MTYPE_ESFIRST;
265 } else {
266 user = smb_session_lookup_uid_st(sr->session,
267 sr->smb_uid, SMB_USER_STATE_LOGGING_ON);
268 if (user == NULL)
269 return (NT_STATUS_USER_SESSION_DELETED);
270
271 /* user cleanup in smb_request_free */
272 sr->uid_user = user;
273
274 msg_hdr.lmh_msgtype = LSA_MTYPE_ESNEXT;
275 }
276
277 /*
278 * Wrap the "security blob" with our header
279 * (LSA_MTYPE_ESFIRST or LSA_MTYPE_ESNEXT)
280 * and send it up the authsock with either
281 */
282 msg_hdr.lmh_msglen = sinfo->ssi_iseclen;
283 status = smb_authsock_sendrecv(user, &msg_hdr,
284 sinfo->ssi_isecblob, &rbuf);
285 if (status != 0)
286 goto errout;
287 rlen = msg_hdr.lmh_msglen;
288
289 /*
290 * Decode the response message.
291 * Note: allocated rbuf
292 */
293 switch (msg_hdr.lmh_msgtype) {
294
295 case LSA_MTYPE_ES_CONT:
296 sinfo->ssi_oseclen = (uint16_t)rlen;
297 sinfo->ssi_osecblob = smb_srm_alloc(sr, sinfo->ssi_oseclen);
298 bcopy(rbuf, sinfo->ssi_osecblob, sinfo->ssi_oseclen);
299 /*
300 * This is not really an error, but tells the client
301 * it should send another session setup request.
302 */
303 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
304 break;
305
306 case LSA_MTYPE_ES_DONE:
307 sinfo->ssi_oseclen = (uint16_t)rlen;
308 sinfo->ssi_osecblob = smb_srm_alloc(sr, sinfo->ssi_oseclen);
309 bcopy(rbuf, sinfo->ssi_osecblob, sinfo->ssi_oseclen);
310 sinfo->ssi_ntpwlen = 0;
311 /*
312 * Get the final auth. token.
313 */
314 status = smb_auth_get_token(sr);
315 break;
316
317 case LSA_MTYPE_ERROR:
318 /*
319 * Authentication failed. Return the error
320 * provided in the reply message.
321 */
322 if (rlen == sizeof (smb_lsa_eresp_t)) {
323 smb_lsa_eresp_t *ler = rbuf;
324 status = ler->ler_ntstatus;
325 goto errout;
326 }
327 /* FALLTHROUGH */
328
329 default: /* Bogus message type */
330 status = NT_STATUS_INTERNAL_ERROR;
331 goto errout;
332 }
333
334 if (status != 0 && status != NT_STATUS_MORE_PROCESSING_REQUIRED) {
335 errout:
336 smb_user_logoff(user);
337 }
338
339 if (rbuf != NULL)
340 kmem_free(rbuf, rlen);
341
342 return (status);
343 }
344
345 /*
346 * Send the "client info" up to the auth service.
347 */
348 static uint32_t
349 smb_auth_do_clinfo(smb_request_t *sr)
350 {
351 smb_lsa_msg_hdr_t msg_hdr;
352 smb_lsa_clinfo_t clinfo;
353 smb_user_t *user = sr->uid_user;
354 void *rbuf = NULL;
355 uint32_t status;
356
357 /*
358 * Send a message with info. about the client
359 * (IP address, etc) and wait for an ACK.
360 */
361 msg_hdr.lmh_msgtype = LSA_MTYPE_CLINFO;
362 msg_hdr.lmh_msglen = sizeof (clinfo);
363 clinfo.lci_clnt_ipaddr = sr->session->ipaddr;
364 (void) memcpy(clinfo.lci_challenge_key,
365 sr->session->challenge_key,
366 sizeof (clinfo.lci_challenge_key));
367 status = smb_authsock_sendrecv(user, &msg_hdr, &clinfo, &rbuf);
368 /* We don't use this response. */
369 if (rbuf != NULL) {
370 kmem_free(rbuf, msg_hdr.lmh_msglen);
371 rbuf = NULL;
372 }
373
374 return (status);
375 }
376
377 /*
378 * After a successful authentication, ask the authsvc to
379 * send us the authentication token.
380 */
381 static uint32_t
382 smb_auth_get_token(smb_request_t *sr)
383 {
384 smb_lsa_msg_hdr_t msg_hdr;
385 XDR xdrs;
386 smb_user_t *user = sr->uid_user;
387 smb_token_t *token = NULL;
388 cred_t *cr = NULL;
389 void *rbuf = NULL;
390 uint32_t rlen = 0;
391 uint32_t privileges;
392 uint32_t status;
393 int rc;
394 bool_t ok;
395
396 msg_hdr.lmh_msgtype = LSA_MTYPE_GETTOK;
397 msg_hdr.lmh_msglen = 0;
398
399 status = smb_authsock_sendrecv(user, &msg_hdr, NULL, &rbuf);
400 if (status != 0)
401 goto errout;
402
403 rlen = msg_hdr.lmh_msglen;
404 switch (msg_hdr.lmh_msgtype) {
405
406 case LSA_MTYPE_TOKEN:
407 status = 0;
408 break;
409
410 case LSA_MTYPE_ERROR:
411 if (rlen == sizeof (smb_lsa_eresp_t)) {
412 smb_lsa_eresp_t *ler = rbuf;
413 status = ler->ler_ntstatus;
414 goto errout;
415 }
416 /* FALLTHROUGH */
417
418 default:
419 status = NT_STATUS_INTERNAL_ERROR;
420 goto errout;
421 }
422
423 /*
424 * Authenticated. Decode the LSA_MTYPE_TOKEN.
425 */
426 xdrmem_create(&xdrs, rbuf, rlen, XDR_DECODE);
427 token = kmem_zalloc(sizeof (smb_token_t), KM_SLEEP);
428 ok = smb_token_xdr(&xdrs, token);
429 xdr_destroy(&xdrs);
430 if (!ok) {
431 status = RPC_NT_BAD_STUB_DATA;
432 goto errout;
433 }
434 kmem_free(rbuf, rlen);
435 rbuf = NULL;
436
437 /*
438 * Setup the logon object.
439 */
440 cr = smb_cred_create(token);
441 if (cr == NULL)
442 goto errout;
443 privileges = smb_priv_xlate(token);
444 (void) smb_user_logon(user, cr,
445 token->tkn_domain_name, token->tkn_account_name,
446 token->tkn_flags, privileges, token->tkn_audit_sid);
447 crfree(cr);
448
449 /*
450 * Save the session key, and (maybe) enable signing,
451 * but only for real logon (not ANON or GUEST).
452 */
453 if ((token->tkn_flags & (SMB_ATF_GUEST | SMB_ATF_ANON)) == 0) {
454 if (sr->session->dialect >= SMB_VERS_2_BASE) {
455 rc = smb2_sign_begin(sr, token);
456 } else {
457 rc = smb_sign_begin(sr, token);
458 }
459 if (rc != 0) {
460 status = NT_STATUS_INTERNAL_ERROR;
461 goto errout;
462 }
463 }
464
465 smb_token_free(token);
466
467 sr->user_cr = user->u_cred;
468 return (0);
469
470 errout:
471 if (rbuf != NULL)
472 kmem_free(rbuf, rlen);
473 if (token != NULL)
474 smb_token_free(token);
475 return (status);
476 }
477
478 /*
479 * Tokens are allocated in the kernel via XDR.
480 * Call xdr_free before freeing the token structure.
481 */
482 void
483 smb_token_free(smb_token_t *token)
484 {
485 if (token != NULL) {
486 xdr_free(smb_token_xdr, (char *)token);
487 kmem_free(token, sizeof (smb_token_t));
488 }
489 }
490
491 /*
492 * Convert access token privileges to local definitions.
493 */
494 static uint32_t
495 smb_priv_xlate(smb_token_t *token)
496 {
497 uint32_t privileges = 0;
498
499 if (smb_token_query_privilege(token, SE_BACKUP_LUID))
500 privileges |= SMB_USER_PRIV_BACKUP;
501
502 if (smb_token_query_privilege(token, SE_RESTORE_LUID))
503 privileges |= SMB_USER_PRIV_RESTORE;
504
505 if (smb_token_query_privilege(token, SE_TAKE_OWNERSHIP_LUID))
506 privileges |= SMB_USER_PRIV_TAKE_OWNERSHIP;
507
508 if (smb_token_query_privilege(token, SE_SECURITY_LUID))
509 privileges |= SMB_USER_PRIV_SECURITY;
510
511 return (privileges);
512 }
513
514 /*
515 * Send/recv a request/reply sequence on the auth socket.
516 * Returns zero or an NT status.
517 *
518 * Errors here mean we can't communicate with the smbd_authsvc.
519 * With limited authsock instances, this should be rare.
520 */
521 static uint32_t
522 smb_authsock_sendrecv(smb_user_t *user, smb_lsa_msg_hdr_t *hdr,
523 void *sndbuf, void **recvbuf)
524 {
525 ksocket_t so;
526 uint32_t status;
527 int rc;
528
529 /*
530 * Get a hold on the auth socket.
531 */
532 mutex_enter(&user->u_mutex);
533 so = user->u_authsock;
534 if (so == NULL) {
535 mutex_exit(&user->u_mutex);
536 return (NT_STATUS_INTERNAL_ERROR);
537 }
538 ksocket_hold(so);
539 mutex_exit(&user->u_mutex);
540
541 rc = smb_authsock_send(so, hdr, sizeof (*hdr));
542 if (rc == 0 && hdr->lmh_msglen != 0) {
543 rc = smb_authsock_send(so, sndbuf, hdr->lmh_msglen);
544 }
545 if (rc)
546 goto out;
547
548 rc = smb_authsock_recv(so, hdr, sizeof (*hdr));
549 if (rc == 0 && hdr->lmh_msglen != 0) {
550 *recvbuf = kmem_alloc(hdr->lmh_msglen, KM_SLEEP);
551 rc = smb_authsock_recv(so, *recvbuf, hdr->lmh_msglen);
552 if (rc) {
553 kmem_free(*recvbuf, hdr->lmh_msglen);
554 *recvbuf = NULL;
555 }
556 }
557
558 out:
559 ksocket_rele(so);
560 switch (rc) {
561 case 0:
562 status = 0;
563 break;
564 case EIO:
565 status = RPC_NT_COMM_FAILURE;
566 break;
567 case ENOTCONN:
568 status = RPC_NT_PIPE_CLOSED;
569 break;
570 default:
571 status = RPC_NT_CALL_FAILED;
572 break;
573 }
574
575 return (status);
576 }
577
578 /*
579 * Hope this is interpreted per-zone...
580 */
581 static struct sockaddr_un smbauth_sockname = {
582 AF_UNIX, SMB_AUTHSVC_SOCKNAME };
583
584 /*
585 * Limit how long smb_authsock_sendrecv() will wait for a
586 * response from the local authentication service.
587 */
588 struct timeval smb_auth_recv_tmo = { 45, 0 };
589
590 /*
591 * Also limit the time smb_authsock_sendrecv() will wait
592 * trying to send a request to the authentication service.
593 */
594 struct timeval smb_auth_send_tmo = { 15, 0 };
595
596 static uint32_t
597 smb_authsock_open(smb_user_t *user)
598 {
599 smb_server_t *sv = user->u_server;
600 ksocket_t so = NULL;
601 uint32_t status;
602 int rc;
603
604 /*
605 * If the auth. service is busy, wait our turn.
606 * This may be frequent, so don't log.
607 */
608 if ((rc = smb_threshold_enter(&sv->sv_ssetup_ct)) != 0)
609 return (NT_STATUS_NO_LOGON_SERVERS);
610
611 rc = ksocket_socket(&so, AF_UNIX, SOCK_STREAM, 0,
612 KSOCKET_SLEEP, CRED());
613 if (rc != 0) {
614 cmn_err(CE_NOTE, "smb_authsock_open: socket, rc=%d", rc);
615 status = NT_STATUS_INSUFF_SERVER_RESOURCES;
616 goto errout;
617 }
618
619 /*
620 * Set the send/recv timeouts.
621 */
622 (void) ksocket_setsockopt(so, SOL_SOCKET, SO_SNDTIMEO,
623 &smb_auth_send_tmo, sizeof (smb_auth_send_tmo), CRED());
624 (void) ksocket_setsockopt(so, SOL_SOCKET, SO_RCVTIMEO,
625 &smb_auth_recv_tmo, sizeof (smb_auth_recv_tmo), CRED());
626
627 /*
628 * Connect to the smbd auth. service.
629 *
630 * Would like to set the connect timeout too, but there's
631 * apparently no easy way to do that for AF_UNIX.
632 */
633 rc = ksocket_connect(so, (struct sockaddr *)&smbauth_sockname,
634 sizeof (smbauth_sockname), CRED());
635 if (rc != 0) {
636 DTRACE_PROBE1(error, int, rc);
637 status = NT_STATUS_NETLOGON_NOT_STARTED;
638 goto errout;
639 }
640
641 /* Note: u_authsock cleanup in smb_authsock_close() */
642 mutex_enter(&user->u_mutex);
643 if (user->u_authsock != NULL) {
644 mutex_exit(&user->u_mutex);
645 status = NT_STATUS_INTERNAL_ERROR;
646 goto errout;
647 }
648 user->u_authsock = so;
649 mutex_exit(&user->u_mutex);
650 return (0);
651
652 errout:
653 if (so != NULL)
654 (void) ksocket_close(so, CRED());
655 smb_threshold_exit(&sv->sv_ssetup_ct);
656
657 return (status);
658 }
659
660 static int
661 smb_authsock_send(ksocket_t so, void *buf, size_t len)
662 {
663 int rc;
664 size_t iocnt = 0;
665
666 rc = ksocket_send(so, buf, len, 0, &iocnt, CRED());
667 if (rc == 0 && iocnt != len) {
668 DTRACE_PROBE1(short, size_t, iocnt);
669 rc = EIO;
670 }
671 if (rc != 0) {
672 DTRACE_PROBE1(error, int, rc);
673 }
674
675 return (rc);
676 }
677
678 static int
679 smb_authsock_recv(ksocket_t so, void *buf, size_t len)
680 {
681 int rc;
682 size_t iocnt = 0;
683
684 rc = ksocket_recv(so, buf, len, MSG_WAITALL, &iocnt, CRED());
685 if (rc == 0) {
686 if (iocnt == 0) {
687 DTRACE_PROBE1(discon, struct sonode *, so);
688 rc = ENOTCONN;
689 } else if (iocnt != len) {
690 /* Should not happen with MSG_WAITALL */
691 DTRACE_PROBE1(short, size_t, iocnt);
692 rc = EIO;
693 }
694 }
695 if (rc != 0) {
696 DTRACE_PROBE1(error, int, rc);
697 }
698
699 return (rc);
700 }
701
702 void
703 smb_authsock_close(smb_user_t *user)
704 {
705
706 ASSERT(MUTEX_HELD(&user->u_mutex));
707 if (user->u_authsock == NULL)
708 return;
709 (void) ksocket_close(user->u_authsock, CRED());
710 user->u_authsock = NULL;
711 smb_threshold_exit(&user->u_server->sv_ssetup_ct);
712 }