source/client/ntclient.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    NT Domain Authentication SMB / MSRPC client
   5    Copyright (C) Andrew Tridgell 1994-1997
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-1997
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #ifdef SYSLOG
  24 #undef SYSLOG
  25 #endif
  26
  27 #include "includes.h"
  28
  29 extern int DEBUGLEVEL;
  30 extern pstring username;
  31 extern pstring smb_login_passwd;
  32 extern pstring workgroup;
  33
  34 #define CLIENT_TIMEOUT (30*1000)
  35
  36 #ifdef NTDOMAIN
  37
  38
  39 /****************************************************************************
  40 experimental nt login.
  41 ****************************************************************************/
  42 BOOL do_nt_login(char *desthost, char *myhostname,
  43                                 int Client, int cnum)
  44 {
  45         DOM_CHAL clnt_chal;
  46         DOM_CHAL srv_chal;
  47
  48         DOM_CRED clnt_cred;
  49
  50         DOM_CHAL auth2_srv_chal;
  51
  52         DOM_CRED sam_logon_clnt_cred;
  53         DOM_CRED sam_logon_rtn_cred;
  54         DOM_CRED sam_logon_srv_cred;
  55
  56         DOM_CRED sam_logoff_clnt_cred;
  57         DOM_CRED sam_logoff_rtn_cred;
  58         DOM_CRED sam_logoff_srv_cred;
  59
  60         DOM_ID_INFO_1 id1;
  61         LSA_USER_INFO user_info1;
  62         LSA_POL_HND pol;
  63         int i;
  64
  65         UTIME zerotime;
  66
  67         uchar sess_key[8];
  68         char nt_owf_mach_pwd[16];
  69         fstring mach_acct;
  70         fstring mach_pwd;
  71         fstring server_name;
  72
  73         RPC_IFACE abstract;
  74         RPC_IFACE transfer;
  75
  76         static char abs_data[16];
  77         static char trn_data[16];
  78
  79         /* received from LSA Query Info Policy, level 5 */
  80         fstring level5_domain_name;
  81         pstring level5_domain_sid;
  82
  83         /* received from LSA Query Info Policy, level 3 */
  84         fstring level3_domain_name;
  85         pstring level3_domain_sid;
  86
  87         uint16 fnum;
  88         uint32 call_id = 0;
  89         char *inbuf,*outbuf;
  90
  91         zerotime.time = 0;
  92
  93         inbuf  = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
  94         outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
  95
  96         if (!inbuf || !outbuf)
  97         {
  98                 DEBUG(0,("out of memory\n"));
  99                 return False;
 100         }
 101
 102         /******************* open the \PIPE\lsarpc file *****************/
 103
 104         if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
 105         {
 106                 free(inbuf); free(outbuf);
 107                 return False;
 108         }
 109
 110         /**************** Set Named Pipe State ***************/
 111         if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
 112         {
 113                 free(inbuf); free(outbuf);
 114                 return False;
 115         }
 116
 117         /******************* bind request on \PIPE\lsarpc *****************/
 118
 119         /* create and send a MSRPC command with api LSA_OPENPOLICY */
 120
 121         DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
 122
 123         for (i = 0; i < sizeof(trn_data); i++)
 124         {
 125                 trn_data[i] = 2 * i;
 126         }
 127
 128         for (i = 0; i < sizeof(abs_data); i++)
 129         {
 130                 abs_data[i] = i;
 131         }
 132
 133         /* create interface UUIDs. */
 134         make_rpc_iface(&abstract, abs_data, 0x0);
 135         make_rpc_iface(&transfer, trn_data, 0x2);
 136
 137         if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
 138         {
 139                 free(inbuf); free(outbuf);
 140                 return False;
 141         }
 142
 143         /******************* Open Policy ********************/
 144
 145         fstrcpy(server_name, ("\\\\"));
 146         fstrcpy(&server_name[2], myhostname);
 147
 148         /* send an open policy request; receive a policy handle */
 149         if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
 150         {
 151                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 152                 free(inbuf); free(outbuf);
 153                 return False;
 154         }
 155
 156         /**************** Query Info Policy, level 3 ********************/
 157
 158         /* send a query info policy at level 3; receive an info policy */
 159         if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
 160                                    level3_domain_name, level3_domain_sid))
 161         {
 162                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 163                 free(inbuf); free(outbuf);
 164                 return False;
 165         }
 166
 167         /**************** Query Info Policy, level 5 ********************/
 168
 169         /* send a query info policy at level 5; receive an info policy */
 170         if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
 171                                    level5_domain_name, level5_domain_sid))
 172         {
 173                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 174                 free(inbuf); free(outbuf);
 175                 return False;
 176         }
 177
 178         /******************* Open Policy ********************/
 179
 180         /* send a close policy request; receive a close pol response */
 181         if (!do_lsa_close(fnum, ++call_id, &pol))
 182         {
 183                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 184                 free(inbuf); free(outbuf);
 185                 return False;
 186         }
 187
 188         /******************* close the \PIPE\lsarpc file *******************/
 189
 190         cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 191
 192
 193
 194         /******************* open the \PIPE\NETLOGON file *****************/
 195
 196         if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
 197         {
 198                 free(inbuf); free(outbuf);
 199                 return False;
 200         }
 201
 202         /**************** Set Named Pipe State ***************/
 203         if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
 204         {
 205                 free(inbuf); free(outbuf);
 206                 return False;
 207         }
 208
 209         /******************* bind request on \PIPE\NETLOGON *****************/
 210
 211         if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
 212         {
 213                 free(inbuf); free(outbuf);
 214                 return False;
 215         }
 216
 217         /******************* Request Challenge ********************/
 218
 219         fstrcpy(mach_acct, myhostname);
 220         strlower(mach_pwd);
 221
 222         fstrcpy(mach_pwd , myhostname);
 223         strcat(mach_acct, "$");
 224
 225         SIVAL(clnt_chal.data, 0, 0x11111111);
 226         SIVAL(clnt_chal.data, 4, 0x22222222);
 227
 228         /* send a client challenge; receive a server challenge */
 229         if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
 230         {
 231                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 232                 free(inbuf); free(outbuf);
 233                 return False;
 234         }
 235
 236         /************ Long-term Session key (default) **********/
 237
 238 #if 0
 239         /* DAMN!  can't get the machine password - need become_root() to do it! */
 240         /* get the machine password */
 241         if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
 242         {
 243                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 244                 free(inbuf); free(outbuf);
 245                 return False;
 246         }
 247
 248         DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
 249 #else
 250
 251         {
 252                 char lm_owf_mach_pwd[16];
 253                 nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
 254                 DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
 255         }
 256
 257 #endif
 258
 259         dump_data(6, nt_owf_mach_pwd, 16);
 260
 261         /* calculate the session key */
 262         cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
 263
 264
 265         /******************* Authenticate 2 ********************/
 266
 267         /* calculate auth-2 credentials */
 268         cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
 269
 270         /* send client auth-2 challenge; receive an auth-2 challenge */
 271         if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
 272                           &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
 273         {
 274                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 275                 free(inbuf); free(outbuf);
 276                 return False;
 277         }
 278
 279
 280         /*********************** SAM Info ***********************/
 281
 282         {
 283                 char lm_owf_user_pwd[16];
 284                 char nt_owf_user_pwd[16];
 285                 nt_lm_owf_gen(smb_login_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
 286
 287 #ifdef DEBUG_PASSWORD
 288
 289                 DEBUG(100,("nt owf of user password: "));
 290                 dump_data(100, lm_owf_user_pwd, 16);
 291
 292                 DEBUG(100,("nt owf of user password: "));
 293                 dump_data(100, nt_owf_user_pwd, 16);
 294
 295 #endif
 296
 297                 /* this is used in both the SAM Logon and the SAM Logoff */
 298                 make_id_info1(&id1, workgroup, 0,
 299                       getuid(), 0,
 300                       username, myhostname,
 301                       sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
 302         }
 303
 304         /*********************** SAM Logon **********************/
 305
 306         clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
 307
 308         /* calculate sam logon credentials, using the auth2 client challenge */
 309         cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
 310                                           &(sam_logon_clnt_cred.challenge));
 311
 312         /* send client sam-logon challenge; receive a sam-logon challenge */
 313         if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
 314                           desthost, mach_acct,
 315                           &sam_logon_clnt_cred, &sam_logon_rtn_cred,
 316                           1, 1, &id1, &user_info1,
 317                           &sam_logon_srv_cred))
 318         {
 319                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 320                 free(inbuf); free(outbuf);
 321                 return False;
 322         }
 323
 324         /*********************** SAM Logoff *********************/
 325
 326         clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
 327
 328         /* calculate sam logoff credentials, using the sam logon return challenge */
 329         cred_create(sess_key, &(clnt_cred.challenge),
 330                                 sam_logoff_clnt_cred.timestamp,
 331                               &(sam_logoff_clnt_cred.challenge));
 332
 333         /* send client sam-logoff challenge; receive a sam-logoff challenge */
 334         if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
 335                           desthost, mach_acct,
 336                           &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
 337                           1, 1, &id1,
 338                           &sam_logoff_srv_cred))
 339         {
 340                 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 341                 free(inbuf); free(outbuf);
 342                 return False;
 343         }
 344
 345         /******************** close the \PIPE\NETLOGON file **************/
 346
 347         cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
 348
 349         /* free memory used in all rpc transactions, above */
 350         free(inbuf); free(outbuf);
 351
 352         return True;
 353 }
 354 #endif /* NTDOMAIN */