Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-3080 SMB1 signing problem with Kerberos auth.
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Dan Fields <dan.fields@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-2485 SMB authentication flood handled poorly
NEX-2225 Unable to join NexentaStor to 2008 AD
SMB-108 Should have comments to relate types with their XDR functions
SMB-56 extended security NTLMSSP, inbound
SMB-50 User-mode SMB server
Includes work by these authors:
Thomas Keiser <thomas.keiser@nexenta.com>
Albert Lee <trisk@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/smbsrv/smb_token.h
+++ new/usr/src/uts/common/smbsrv/smb_token.h
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
↓ open down ↓ |
14 lines elided |
↑ open up ↑ |
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 *
25 - * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
25 + * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
26 26 */
27 27
28 28 #ifndef _SMB_TOKEN_H
29 29 #define _SMB_TOKEN_H
30 30
31 31 #include <smbsrv/smb_inet.h>
32 32 #include <smbsrv/smb_privilege.h>
33 33 #include <smbsrv/smb_sid.h>
34 34
35 +#if defined(_KERNEL) || defined(_FAKE_KERNEL)
36 +#include <c2/audit.h>
37 +#else
38 +#include <bsm/audit.h>
39 +#endif
40 +
35 41 /*
36 42 * Don't want <smbsrv/netrauth.h> in here, but
37 43 * uts/common/fs/smbsrv/smb_authenticate.c
38 44 * wants this. Todo: cleanup
39 45 */
40 46 #define NETR_NETWORK_LOGON 0x02
41 47
42 48 #ifdef __cplusplus
43 49 extern "C" {
44 50 #endif
45 51
46 52 /*
47 53 * 32-bit opaque buffer (non-null terminated strings)
48 54 * See also: smb_buf32_xdr()
49 55 */
50 56 typedef struct smb_buf32 {
51 57 uint32_t len;
52 58 uint8_t *val;
53 59 } smb_buf32_t;
54 60
55 61 /*
56 62 * Access Token
57 63 *
58 64 * An access token identifies a user, the user's privileges and the
59 65 * list of groups of which the user is a member. This information is
60 66 * used when access is requested to an object by comparing this
61 67 * information with the DACL in the object's security descriptor.
62 68 *
63 69 * There should be one unique token per user per session per client.
|
↓ open down ↓ |
19 lines elided |
↑ open up ↑ |
64 70 *
65 71 * Access Token Flags
66 72 *
67 73 * SMB_ATF_GUEST Token belongs to guest user
68 74 * SMB_ATF_ANON Token belongs to anonymous user
69 75 * and it's only good for IPC Connection.
70 76 * SMB_ATF_POWERUSER Token belongs to a Power User member
71 77 * SMB_ATF_BACKUPOP Token belongs to a Power User member
72 78 * SMB_ATF_ADMIN Token belongs to a Domain Admins member
73 79 */
74 -#define SMB_ATF_GUEST 0x00000001
75 -#define SMB_ATF_ANON 0x00000002
80 +#define SMB_ATF_ANON 0x00000001
81 +#define SMB_ATF_GUEST 0x00000002
76 82 #define SMB_ATF_POWERUSER 0x00000004
77 83 #define SMB_ATF_BACKUPOP 0x00000008
78 84 #define SMB_ATF_ADMIN 0x00000010
79 85
80 86 #define SMB_POSIX_GRPS_SIZE(n) \
81 87 (sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
82 88 /*
83 89 * It consists of the primary and supplementary POSIX groups.
84 90 * See also: smb_posix_grps_xdr()
85 91 */
86 92 typedef struct smb_posix_grps {
87 93 uint32_t pg_ngrps;
88 94 gid_t pg_grps[ANY_SIZE_ARRAY];
89 95 } smb_posix_grps_t;
90 96
91 97 /*
92 98 * An NT-style logon "token" (NT terminology)
93 99 * See also: smb_token_xdr()
94 100 */
95 101 typedef struct smb_token {
96 102 smb_id_t tkn_user;
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
97 103 smb_id_t tkn_owner;
98 104 smb_id_t tkn_primary_grp;
99 105 smb_ids_t tkn_win_grps;
100 106 smb_privset_t *tkn_privileges;
101 107 char *tkn_account_name;
102 108 char *tkn_domain_name;
103 109 uint32_t tkn_flags;
104 110 uint32_t tkn_audit_sid;
105 111 smb_buf32_t tkn_ssnkey;
106 112 smb_posix_grps_t *tkn_posix_grps;
113 + au_id_t tkn_auid;
114 + au_mask_t tkn_amask;
115 + au_asid_t tkn_asid;
107 116 } smb_token_t;
108 117
109 118 /*
110 119 * Details required to authenticate a user.
111 120 * See also: smb_logon_xdr()
112 121 */
113 122 typedef struct smb_logon {
114 123 uint16_t lg_level;
115 124 char *lg_username; /* requested username */
116 125 char *lg_domain; /* requested domain */
117 126 char *lg_e_username; /* effective username */
118 127 char *lg_e_domain; /* effective domain */
119 128 char *lg_workstation;
120 129 smb_inaddr_t lg_clnt_ipaddr;
121 130 smb_inaddr_t lg_local_ipaddr;
122 131 uint16_t lg_local_port;
123 132 smb_buf32_t lg_challenge_key;
124 133 smb_buf32_t lg_nt_password;
125 134 smb_buf32_t lg_lm_password;
126 135 uint32_t lg_ntlm_flags;
127 136 int lg_native_os;
128 137 int lg_native_lm;
129 138 uint32_t lg_flags;
130 139 uint32_t lg_logon_id; /* filled in user space */
131 140 uint32_t lg_domain_type; /* filled in user space */
132 141 uint32_t lg_secmode; /* filled in user space */
133 142 uint32_t lg_status; /* filled in user space */
134 143 } smb_logon_t;
135 144
136 145 /*
137 146 * This is the name of the local (AF_UNIX) socket
138 147 * where the SMB auth. service listens.
139 148 */
140 149 #define SMB_AUTHSVC_SOCKNAME "/var/smb/lipc/smbauth"
141 150
142 151 /*
143 152 * Maximum number of authentcation conversations at one time.
144 153 * Note this is _NOT_ the max. number of logged on users,
145 154 * which can be much larger.
146 155 */
147 156 #define SMB_AUTHSVC_MAXTHREAD 256
148 157
149 158 /*
150 159 * Messages to and from the local security authority
151 160 * Type codes:
152 161 */
153 162 typedef enum smb_lsa_mtype {
154 163 /* reply types */
155 164 LSA_MTYPE_OK = 0,
156 165 LSA_MTYPE_ERROR,
157 166 LSA_MTYPE_ES_DONE, /* ext. sec: authenticated */
158 167 LSA_MTYPE_ES_CONT, /* more processing required */
159 168 LSA_MTYPE_TOKEN, /* smb_token_t */
160 169
161 170 /* request types */
162 171 LSA_MTYPE_OLDREQ, /* non-ext. sec. session setup */
163 172 LSA_MTYPE_CLINFO, /* client info sent at start of ES */
164 173 LSA_MTYPE_ESFIRST, /* spnego initial message */
165 174 LSA_MTYPE_ESNEXT, /* spnego continuation */
166 175 LSA_MTYPE_GETTOK /* after ES auth, get token */
167 176 } smb_lsa_mtype_t;
168 177
169 178 /*
170 179 * msg: header common to all message types
171 180 */
172 181 typedef struct smb_lsa_msg_hdr {
173 182 uint32_t lmh_msgtype; /* smb_lsa_mtype_t */
174 183 uint32_t lmh_msglen; /* size of what follows */
175 184 } smb_lsa_msg_hdr_t;
176 185
177 186 /*
178 187 * eresp: error response
179 188 * msgtype: LSA_MTYPE_ERESP
180 189 */
181 190 typedef struct smb_lsa_eresp {
182 191 uint32_t ler_ntstatus;
183 192 uint16_t ler_errclass;
184 193 uint16_t ler_errcode;
185 194 } smb_lsa_eresp_t;
186 195
187 196 /*
188 197 * Message for LSA_MTYPE_CLINFO
189 198 */
190 199 typedef struct smb_lsa_clinfo {
191 200 smb_inaddr_t lci_clnt_ipaddr;
192 201 unsigned char lci_challenge_key[8];
193 202 int lci_native_os;
194 203 int lci_native_lm;
195 204 } smb_lsa_clinfo_t;
196 205
197 206 struct XDR;
198 207 int smb_logon_xdr(struct XDR *, smb_logon_t *);
199 208 int smb_token_xdr(struct XDR *, smb_token_t *);
200 209
201 210 #if defined(_KERNEL) || defined(_FAKE_KERNEL)
202 211 void smb_token_free(smb_token_t *);
203 212 #else /* _KERNEL */
204 213 smb_token_t *smb_logon(smb_logon_t *);
205 214 void smb_logon_abort(void);
206 215 void smb_token_destroy(smb_token_t *);
207 216 uint8_t *smb_token_encode(smb_token_t *, uint32_t *);
208 217 void smb_token_log(smb_token_t *);
209 218 smb_logon_t *smb_logon_decode(uint8_t *, uint32_t);
210 219 void smb_logon_free(smb_logon_t *);
211 220 #endif /* _KERNEL */
212 221
213 222 int smb_token_query_privilege(smb_token_t *token, int priv_id);
214 223 boolean_t smb_token_valid(smb_token_t *);
215 224
216 225 #ifdef __cplusplus
217 226 }
218 227 #endif
219 228
220 229 #endif /* _SMB_TOKEN_H */
|
↓ open down ↓ |
104 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX