1/* 2 * Copyright (c) 2010 Apple Inc. All rights reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24#include <sys/param.h> 25#include <sys/errno.h> 26#include <sys/stat.h> 27#include <err.h> 28#include <stdio.h> 29#include <unistd.h> 30#include <strings.h> 31#include <stdlib.h> 32#include <sysexits.h> 33 34#include <stdint.h> 35#include <netsmb/smb.h> 36 37#include <smbclient/smbclient.h> 38#include <smbclient/smbclient_internal.h> 39#include <smbclient/smbclient_netfs.h> 40#include <smbclient/ntstatus.h> 41 42#include "SetNetworkAccountSID.h" 43#include "LsarLookup.h" 44 45#define MAX_SID_PRINTBUFFER 256 /* Used to print out the sid in case of an error */ 46static 47void print_ntsid(ntsid_t *sidptr, const char *account, const char *domain) 48{ 49 char sidprintbuf[MAX_SID_PRINTBUFFER]; 50 char *s = sidprintbuf; 51 int subs; 52 uint64_t auth = 0; 53 unsigned i; 54 uint32_t *ip; 55 size_t len; 56 57 bzero(sidprintbuf, MAX_SID_PRINTBUFFER); 58 for (i = 0; i < sizeof(sidptr->sid_authority); i++) 59 auth = (auth << 8) | sidptr->sid_authority[i]; 60 s += snprintf(s, MAX_SID_PRINTBUFFER, "S-%u-%llu", sidptr->sid_kind, auth); 61 62 subs = sidptr->sid_authcount; 63 64 for (ip = sidptr->sid_authorities; subs--; ip++) { 65 len = MAX_SID_PRINTBUFFER - (s - sidprintbuf); 66 s += snprintf(s, len, "-%u", *ip); 67 } 68 SMBLogInfo("%s\\%s network sid %s \n", ASL_LEVEL_DEBUG, 69 (domain) ? domain : "", (account) ? account : "", sidprintbuf); 70} 71 72void setNetworkAccountSID(void *sessionRef, void *args) 73{ 74#pragma unused(args) 75 SMBHANDLE serverConnection = SMBAllocateAndSetContext(sessionRef); 76 ntsid_t *ntsid = NULL; 77 SMBServerPropertiesV1 properties; 78 NTSTATUS status; 79 char *account = NULL, *domain = NULL; 80 81 if (!serverConnection) { 82 goto done; 83 } 84 status = SMBGetServerProperties(serverConnection, &properties, kPropertiesVersion, sizeof(properties)); 85 if (!NT_SUCCESS(status)) { 86 goto done; 87 } 88 /* We already have a network sid assigned, then do nothing */ 89 if (properties.internalFlags & kHasNtwrkSID) { 90 goto done; 91 } 92 93 /* We never set the user sid if guest or anonymous authentication */ 94 if ((properties.authType == kSMBAuthTypeGuest) || (properties.authType == kSMBAuthTypeAnonymous)) { 95 goto done; 96 } 97 status = GetNetworkAccountSID(properties.serverName, &account, &domain, &ntsid); 98 if (!NT_SUCCESS(status)) { 99 goto done; 100 } 101 print_ntsid(ntsid, account, domain); 102 /* 103 * In the future this should return an ntstatus and set errno. Currently we 104 * ignore the error, since the failure just means ACLs are off. 105 */ 106 (void)SMBSetNetworkIdentity(serverConnection, ntsid, account, domain); 107done: 108 if (account) { 109 free(account); 110 } 111 if (domain) { 112 free(domain); 113 } 114 if (ntsid) { 115 free(ntsid); 116 } 117 if (serverConnection) { 118 free(serverConnection); 119 } 120} 121