1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2013 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Utility functions to support the RPC interface library.
*/
#include <stdio.h>
#include <stdarg.h>
#include <strings.h>
#include <unistd.h>
#include <netdb.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/systm.h>
#include <syslog.h>
#include <smbsrv/libsmb.h>
#include <smbsrv/libsmbns.h>
#include <smbsrv/libmlsvc.h>
#include <smbsrv/ntaccess.h>
#include <smbsrv/smbinfo.h>
#include <libsmbrdr.h>
#include <lsalib.h>
#include <samlib.h>
#include <smbsrv/netrauth.h>
extern int netr_open(char *, char *, mlsvc_handle_t *);
extern int netr_close(mlsvc_handle_t *);
extern DWORD netlogon_auth(char *, mlsvc_handle_t *, DWORD);
static DWORD
mlsvc_join_rpc(smb_domainex_t *dxi,
char *admin_user, char *admin_pw,
char *machine_name, char *machine_pw);
static DWORD
mlsvc_join_noauth(smb_domainex_t *dxi,
char *machine_name, char *machine_pw);
DWORD
mlsvc_netlogon(char *server, char *domain)
{
mlsvc_handle_t netr_handle;
DWORD status;
if (netr_open(server, domain, &netr_handle) == 0) {
if ((status = netlogon_auth(server, &netr_handle,
NETR_FLG_INIT)) != NT_STATUS_SUCCESS)
syslog(LOG_NOTICE, "Failed to establish NETLOGON "
"credential chain");
(void) netr_close(&netr_handle);
} else {
syslog(LOG_NOTICE, "Failed to connect to %s "
"for domain %s", server, domain);
status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
return (status);
}
/*
* Join the specified domain. The method varies depending on whether
* we're using "secure join" (using an administrative account to join)
* or "unsecure join" (using a pre-created machine account). In the
* latter case, the machine account is created "by hand" before this
* machine attempts to join, and we just change the password from the
* (weak) default password for a new machine account to a random one.
*
* Note that the caller has already done "DC discovery" and passes the
* domain info. in the first arg.
*
* Returns NT status codes.
*/
DWORD
mlsvc_join(smb_domainex_t *dxi, char *admin_user, char *admin_pw)
{
char machine_name[SMB_SAMACCT_MAXLEN];
char machine_pw[NETR_MACHINE_ACCT_PASSWD_MAX];
unsigned char passwd_hash[SMBAUTH_HASH_SZ];
smb_domain_t *di = &dxi->d_primary;
DWORD status;
int rc;
/*
* Domain join support: AD (Kerberos+LDAP) or MS-RPC?
* Leave the AD code path disabled until it can be
* fixed up so that the SMB server is in complete
* control of which AD server we talk to. See:
* NX 12427 (Re-enable Kerberos+LDAP with...)
*/
boolean_t ads_enabled = smb_config_get_ads_enable();
if (smb_getsamaccount(machine_name, sizeof (machine_name)) != 0)
return (NT_STATUS_INTERNAL_ERROR);
(void) smb_gen_random_passwd(machine_pw, sizeof (machine_pw));
/*
* A non-null user means we do "secure join".
*/
if (admin_user != NULL && admin_user[0] != '\0') {
/*
* Doing "secure join", so authenticate as the
* specified user (with admin. rights).
*/
(void) smb_auth_ntlm_hash(admin_pw, passwd_hash);
smb_ipc_set(admin_user, passwd_hash);
/*
* If enabled, try to join using AD Services.
* The ADS code needs work. Not enabled yet.
*/
status = NT_STATUS_UNSUCCESSFUL;
if (ads_enabled) {
smb_adjoin_status_t err;
err = smb_ads_join(di->di_fqname,
admin_user, admin_pw, machine_pw);
if (err != SMB_ADJOIN_SUCCESS) {
smb_ads_join_errmsg(err);
} else {
status = NT_STATUS_SUCCESS;
}
}
/*
* If ADS was disabled or gave an error,
* fall-back and try to join using RPC.
*/
if (status != NT_STATUS_SUCCESS) {
status = mlsvc_join_rpc(dxi,
admin_user, admin_pw,
machine_name, machine_pw);
}
} else {
/*
* Doing "Unsecure join" (pre-created account)
*/
bzero(passwd_hash, sizeof (passwd_hash));
smb_ipc_set(MLSVC_ANON_USER, passwd_hash);
status = mlsvc_join_noauth(dxi, machine_name, machine_pw);
}
if (status != NT_STATUS_SUCCESS)
goto out;
/*
* Make sure we can authenticate using the
* (new, or updated) machine account.
*/
(void) smb_auth_ntlm_hash(machine_pw, passwd_hash);
smb_ipc_set(machine_name, passwd_hash);
rc = smbrdr_logon(dxi->d_dc, di->di_nbname, machine_name);
if (rc != 0) {
syslog(LOG_NOTICE, "Authenticate with "
"new/updated machine account: %s",
strerror(rc));
status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto out;
}
/*
* Store the new machine account password.
*/
rc = smb_setdomainprops(NULL, dxi->d_dc, machine_pw);
if (rc != 0) {
syslog(LOG_NOTICE,
"Failed to save machine account password");
status = NT_STATUS_INTERNAL_DB_ERROR;
goto out;
}
/*
* Update idmap config
*/
if (smb_config_set_idmap_domain(di->di_fqname) != 0)
syslog(LOG_NOTICE, "Failed to set idmap domain name");
if (smb_config_refresh_idmap() != 0)
syslog(LOG_NOTICE, "Failed to refresh idmap service");
/*
* Note: The caller (smbd) saves the "secmode" and
* domain info (via smb_config_setdomaininfo) and
* and does smb_ipc_commit (or rollback).
*/
status = 0;
out:
/* Avoid leaving cleartext passwords around. */
bzero(machine_pw, sizeof (machine_pw));
bzero(passwd_hash, sizeof (passwd_hash));
return (status);
}
static DWORD
mlsvc_join_rpc(smb_domainex_t *dxi,
char *admin_user, char *admin_pw,
char *machine_name, char *machine_pw)
{
mlsvc_handle_t samr_handle;
mlsvc_handle_t domain_handle;
mlsvc_handle_t user_handle;
smb_account_t ainfo;
char *server = dxi->d_dc;
smb_domain_t *di = &dxi->d_primary;
DWORD account_flags;
DWORD rid;
DWORD status;
int rc;
/* Caller did smb_ipc_set() so we don't need the pw for now. */
_NOTE(ARGUNUSED(admin_pw));
rc = samr_open(server, di->di_nbname, admin_user,
MAXIMUM_ALLOWED, &samr_handle);
if (rc != 0) {
syslog(LOG_NOTICE, "sam_connect to server %s failed", server);
return (RPC_NT_SERVER_UNAVAILABLE);
}
/* have samr_handle */
status = samr_open_domain(&samr_handle, MAXIMUM_ALLOWED,
(struct samr_sid *)di->di_binsid, &domain_handle);
if (status != NT_STATUS_SUCCESS)
goto out_samr_handle;
/* have domain_handle */
account_flags = SAMR_AF_WORKSTATION_TRUST_ACCOUNT;
status = samr_create_user(&domain_handle, machine_name,
account_flags, &rid, &user_handle);
if (status == NT_STATUS_USER_EXISTS) {
status = samr_lookup_domain_names(&domain_handle,
machine_name, &ainfo);
if (status != NT_STATUS_SUCCESS)
goto out_domain_handle;
status = samr_open_user(&domain_handle, MAXIMUM_ALLOWED,
ainfo.a_rid, &user_handle);
}
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"Create or open machine account: %s",
xlate_nt_status(status));
goto out_domain_handle;
}
/*
* The account exists, and we have user_handle open
* on that account. Set the password and flags.
*/
status = netr_set_user_password(&user_handle, machine_pw);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"Set machine account password: %s",
xlate_nt_status(status));
goto out_user_handle;
}
account_flags |= SAMR_AF_DONT_EXPIRE_PASSWD;
status = netr_set_user_control(&user_handle, account_flags);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"Set machine account control flags: %s",
xlate_nt_status(status));
goto out_user_handle;
}
out_user_handle:
(void) samr_close_handle(&user_handle);
out_domain_handle:
(void) samr_close_handle(&domain_handle);
out_samr_handle:
(void) samr_close_handle(&samr_handle);
return (status);
}
/*
* Doing "Unsecure join" (using a pre-created machine account).
* All we need to do is change the password from the default
* to a random string.
*
* Note: this is a work in progres. Nexenta issue 11960
* (allow joining an AD domain using a pre-created computer account)
* It turns out that to change the machine account password,
* we need to use a different RPC call, performed over the
* NetLogon secure channel. (See netr_server_password_set2)
*/
static DWORD
mlsvc_join_noauth(smb_domainex_t *dxi,
char *machine_name, char *machine_pw)
{
char old_pw[SMB_SAMACCT_MAXLEN];
DWORD status;
/*
* Compose the current (default) password for the
* pre-created machine account, which is just the
* account name in lower case, truncated to 14
* characters.
*/
if (smb_gethostname(old_pw, sizeof (old_pw), SMB_CASE_LOWER) != 0)
return (NT_STATUS_INTERNAL_ERROR);
old_pw[14] = '\0';
status = netr_change_password(dxi->d_dc, machine_name,
old_pw, machine_pw);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"Change machine account password: %s",
xlate_nt_status(status));
}
return (status);
}
void
mlsvc_disconnect(const char *server)
{
smbrdr_disconnect(server);
}
|
