Print this page
NEX-18708 Domain logons may get STATUS_ACCESS_DENIED
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-14666 Need to provide SMB 2.1 Client
NEX-17187 panic in smbfs_acl_store
NEX-17231 smbfs create xattr files finds wrong file
NEX-17224 smbfs lookup EINVAL should be ENOENT
NEX-17260 SMB1 client fails to list directory after NEX-14666
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Joyce McIntosh <joyce.mcintosh@nexenta.com>
and: (cleanup)
1575 untangle libmlrpc from SMB server
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Richard Lowe <richlowe@richlowe.net>
NEX-4083 Upstream changes from illumos 5917 and 5995
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-2667 Wrong error when join domain with wrong password
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
SUP-621 ... join AD domain, ... ACCESS_DENIED when trying to open \lsarpc
NEX-2225 Unable to join NexentaStor to 2008 AD
NEX-2286 smbadm join error messages are uninformative
NEX-1852 re-enable Kerberos-style AD join (try 2)
NEX-1638 Updated DC Locator
Includes work by: matt.barden@nexenta.com, kevin.crowe@nexenta.com
SFR-56 Identity Management for UNIX (IDMU) authentication support
re #13190 rb4312 idmapd error -9961 (No AD servers)
re #12435 rb3958 r10 is added 2 times to panic info
re #12393 rb3935 Kerberos and smbd disagree about who is our AD server
*** 18,28 ****
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
! * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Utility functions to support the RPC interface library.
*/
--- 18,28 ----
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
! * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Utility functions to support the RPC interface library.
*/
*** 39,49 ****
#include <syslog.h>
#include <smbsrv/libsmb.h>
#include <smbsrv/libsmbns.h>
#include <smbsrv/libmlsvc.h>
! #include <smbsrv/ntaccess.h>
#include <smbsrv/smbinfo.h>
#include <smbsrv/netrauth.h>
#include <libsmbrdr.h>
#include <lsalib.h>
#include <samlib.h>
--- 39,49 ----
#include <syslog.h>
#include <smbsrv/libsmb.h>
#include <smbsrv/libsmbns.h>
#include <smbsrv/libmlsvc.h>
! #include <smb/ntaccess.h>
#include <smbsrv/smbinfo.h>
#include <smbsrv/netrauth.h>
#include <libsmbrdr.h>
#include <lsalib.h>
#include <samlib.h>
*** 55,89 ****
char *machine_name, char *machine_pw);
static DWORD
mlsvc_join_noauth(smb_domainex_t *dxi,
char *machine_name, char *machine_pw);
!
DWORD
mlsvc_netlogon(char *server, char *domain)
{
- mlsvc_handle_t netr_handle;
DWORD status;
! status = netr_open(server, domain, &netr_handle);
! if (status != 0) {
! syslog(LOG_NOTICE, "Failed to connect to %s "
! "for domain %s (%s)", server, domain,
! xlate_nt_status(status));
! return (status);
! }
!
! status = netlogon_auth(server, &netr_handle, NETR_FLG_INIT);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE, "Failed to establish NETLOGON "
"credential chain with DC: %s (%s)", server,
xlate_nt_status(status));
syslog(LOG_NOTICE, "The machine account information on the "
"domain controller does not match the local storage.");
syslog(LOG_NOTICE, "To correct this, use 'smbadm join'");
}
- (void) netr_close(&netr_handle);
return (status);
}
/*
--- 55,82 ----
char *machine_name, char *machine_pw);
static DWORD
mlsvc_join_noauth(smb_domainex_t *dxi,
char *machine_name, char *machine_pw);
! /*
! * This is called by smbd_dc_update just after we've learned about a
! * new domain controller. Make sure we can authenticate with this DC.
! */
DWORD
mlsvc_netlogon(char *server, char *domain)
{
DWORD status;
! status = smb_netlogon_check(server, domain);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE, "Failed to establish NETLOGON "
"credential chain with DC: %s (%s)", server,
xlate_nt_status(status));
syslog(LOG_NOTICE, "The machine account information on the "
"domain controller does not match the local storage.");
syslog(LOG_NOTICE, "To correct this, use 'smbadm join'");
}
return (status);
}
/*
*** 422,427 ****
--- 415,460 ----
void
mlsvc_disconnect(const char *server)
{
smbrdr_disconnect(server);
+ }
+
+ /*
+ * A few more helper functions for RPC services.
+ */
+
+ /*
+ * Check whether or not the specified user has administrator privileges,
+ * i.e. is a member of Domain Admins or Administrators.
+ * Returns true if the user is an administrator, otherwise returns false.
+ */
+ boolean_t
+ ndr_is_admin(ndr_xa_t *xa)
+ {
+ smb_netuserinfo_t *ctx = xa->pipe->np_user;
+
+ return (ctx->ui_flags & SMB_ATF_ADMIN);
+ }
+
+ /*
+ * Check whether or not the specified user has power-user privileges,
+ * i.e. is a member of Domain Admins, Administrators or Power Users.
+ * This is typically required for operations such as managing shares.
+ * Returns true if the user is a power user, otherwise returns false.
+ */
+ boolean_t
+ ndr_is_poweruser(ndr_xa_t *xa)
+ {
+ smb_netuserinfo_t *ctx = xa->pipe->np_user;
+
+ return ((ctx->ui_flags & SMB_ATF_ADMIN) ||
+ (ctx->ui_flags & SMB_ATF_POWERUSER));
+ }
+
+ int32_t
+ ndr_native_os(ndr_xa_t *xa)
+ {
+ smb_netuserinfo_t *ctx = xa->pipe->np_user;
+
+ return (ctx->ui_native_os);
}