2 Unix SMB/Netbios implementation.
4 NT Domain Authentication SMB / MSRPC client
5 Copyright (C) Andrew Tridgell 1994-1997
6 Copyright (C) Luke Kenneth Casson Leighton 1996-1997
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 extern int DEBUGLEVEL;
30 extern pstring username;
31 extern pstring smb_login_passwd;
32 extern pstring workgroup;
34 #define CLIENT_TIMEOUT (30*1000)
39 /****************************************************************************
40 experimental nt login.
41 ****************************************************************************/
42 BOOL do_nt_login(char *desthost, char *myhostname,
50 DOM_CHAL auth2_srv_chal;
52 DOM_CRED sam_logon_clnt_cred;
53 DOM_CRED sam_logon_rtn_cred;
54 DOM_CRED sam_logon_srv_cred;
56 DOM_CRED sam_logoff_clnt_cred;
57 DOM_CRED sam_logoff_rtn_cred;
58 DOM_CRED sam_logoff_srv_cred;
61 LSA_USER_INFO user_info1;
68 char nt_owf_mach_pwd[16];
76 static char abs_data[16];
77 static char trn_data[16];
79 /* received from LSA Query Info Policy, level 5 */
80 fstring level5_domain_name;
81 pstring level5_domain_sid;
83 /* received from LSA Query Info Policy, level 3 */
84 fstring level3_domain_name;
85 pstring level3_domain_sid;
93 inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
94 outbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
96 if (!inbuf || !outbuf)
98 DEBUG(0,("out of memory\n"));
102 /******************* open the \PIPE\lsarpc file *****************/
104 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_LSARPC, Client, cnum)) == 0xffff)
106 free(inbuf); free(outbuf);
110 /**************** Set Named Pipe State ***************/
111 if (!rpc_pipe_set_hnd_state(PIPE_LSARPC, fnum, 0x4300))
113 free(inbuf); free(outbuf);
117 /******************* bind request on \PIPE\lsarpc *****************/
119 /* create and send a MSRPC command with api LSA_OPENPOLICY */
121 DEBUG(4,("LSA RPC Bind[%x]\n", fnum));
123 for (i = 0; i < sizeof(trn_data); i++)
128 for (i = 0; i < sizeof(abs_data); i++)
133 /* create interface UUIDs. */
134 make_rpc_iface(&abstract, abs_data, 0x0);
135 make_rpc_iface(&transfer, trn_data, 0x2);
137 if (!rpc_pipe_bind(PIPE_LSARPC, fnum, ++call_id, &abstract, &transfer))
139 free(inbuf); free(outbuf);
143 /******************* Open Policy ********************/
145 fstrcpy(server_name, ("\\\\"));
146 fstrcpy(&server_name[2], myhostname);
148 /* send an open policy request; receive a policy handle */
149 if (!do_lsa_open_policy(fnum, ++call_id, server_name, &pol))
151 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
152 free(inbuf); free(outbuf);
156 /**************** Query Info Policy, level 3 ********************/
158 /* send a query info policy at level 3; receive an info policy */
159 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x3,
160 level3_domain_name, level3_domain_sid))
162 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
163 free(inbuf); free(outbuf);
167 /**************** Query Info Policy, level 5 ********************/
169 /* send a query info policy at level 5; receive an info policy */
170 if (!do_lsa_query_info_pol(fnum, ++call_id, &pol, 0x5,
171 level5_domain_name, level5_domain_sid))
173 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
174 free(inbuf); free(outbuf);
178 /******************* Open Policy ********************/
180 /* send a close policy request; receive a close pol response */
181 if (!do_lsa_close(fnum, ++call_id, &pol))
183 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
184 free(inbuf); free(outbuf);
188 /******************* close the \PIPE\lsarpc file *******************/
190 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
194 /******************* open the \PIPE\NETLOGON file *****************/
196 if ((fnum = rpc_pipe_open(inbuf, outbuf, PIPE_NETLOGON, Client, cnum)) == 0xffff)
198 free(inbuf); free(outbuf);
202 /**************** Set Named Pipe State ***************/
203 if (!rpc_pipe_set_hnd_state(PIPE_NETLOGON, fnum, 0x4300))
205 free(inbuf); free(outbuf);
209 /******************* bind request on \PIPE\NETLOGON *****************/
211 if (!rpc_pipe_bind(PIPE_NETLOGON, fnum, ++call_id, &abstract, &transfer))
213 free(inbuf); free(outbuf);
217 /******************* Request Challenge ********************/
219 fstrcpy(mach_acct, myhostname);
222 fstrcpy(mach_pwd , myhostname);
223 strcat(mach_acct, "$");
225 SIVAL(clnt_chal.data, 0, 0x11111111);
226 SIVAL(clnt_chal.data, 4, 0x22222222);
228 /* send a client challenge; receive a server challenge */
229 if (!do_lsa_req_chal(fnum, ++call_id, desthost, myhostname, &clnt_chal, &srv_chal))
231 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
232 free(inbuf); free(outbuf);
236 /************ Long-term Session key (default) **********/
239 /* DAMN! can't get the machine password - need become_root() to do it! */
240 /* get the machine password */
241 if (!get_md4pw(mach_acct, nt_owf_mach_pwd))
243 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
244 free(inbuf); free(outbuf);
248 DEBUG(5,("got nt owf from smbpasswd entry: %s\n", mach_pwd));
252 char lm_owf_mach_pwd[16];
253 nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
254 DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
259 dump_data(6, nt_owf_mach_pwd, 16);
261 /* calculate the session key */
262 cred_session_key(&clnt_chal, &srv_chal, nt_owf_mach_pwd, sess_key);
265 /******************* Authenticate 2 ********************/
267 /* calculate auth-2 credentials */
268 cred_create(sess_key, &clnt_chal, zerotime, &(clnt_cred.challenge));
270 /* send client auth-2 challenge; receive an auth-2 challenge */
271 if (!do_lsa_auth2(fnum, ++call_id, desthost, mach_acct, 2, myhostname,
272 &(clnt_cred.challenge), 0x000001ff, &auth2_srv_chal))
274 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
275 free(inbuf); free(outbuf);
280 /*********************** SAM Info ***********************/
283 char lm_owf_user_pwd[16];
284 char nt_owf_user_pwd[16];
285 nt_lm_owf_gen(smb_login_passwd, nt_owf_user_pwd, lm_owf_user_pwd);
287 #ifdef DEBUG_PASSWORD
289 DEBUG(100,("nt owf of user password: "));
290 dump_data(100, lm_owf_user_pwd, 16);
292 DEBUG(100,("nt owf of user password: "));
293 dump_data(100, nt_owf_user_pwd, 16);
297 /* this is used in both the SAM Logon and the SAM Logoff */
298 make_id_info1(&id1, workgroup, 0,
300 username, myhostname,
301 sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
304 /*********************** SAM Logon **********************/
306 clnt_cred.timestamp.time = sam_logon_clnt_cred.timestamp.time = time(NULL);
308 /* calculate sam logon credentials, using the auth2 client challenge */
309 cred_create(sess_key, &(clnt_cred.challenge), sam_logon_clnt_cred.timestamp,
310 &(sam_logon_clnt_cred.challenge));
312 /* send client sam-logon challenge; receive a sam-logon challenge */
313 if (!do_lsa_sam_logon(fnum, ++call_id, sess_key, &clnt_cred,
315 &sam_logon_clnt_cred, &sam_logon_rtn_cred,
316 1, 1, &id1, &user_info1,
317 &sam_logon_srv_cred))
319 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
320 free(inbuf); free(outbuf);
324 /*********************** SAM Logoff *********************/
326 clnt_cred.timestamp.time = sam_logoff_clnt_cred.timestamp.time = time(NULL);
328 /* calculate sam logoff credentials, using the sam logon return challenge */
329 cred_create(sess_key, &(clnt_cred.challenge),
330 sam_logoff_clnt_cred.timestamp,
331 &(sam_logoff_clnt_cred.challenge));
333 /* send client sam-logoff challenge; receive a sam-logoff challenge */
334 if (!do_lsa_sam_logoff(fnum, ++call_id, sess_key, &clnt_cred,
336 &sam_logoff_clnt_cred, &sam_logoff_rtn_cred,
338 &sam_logoff_srv_cred))
340 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
341 free(inbuf); free(outbuf);
345 /******************** close the \PIPE\NETLOGON file **************/
347 cli_smb_close(inbuf, outbuf, Client, cnum, fnum);
349 /* free memory used in all rpc transactions, above */
350 free(inbuf); free(outbuf);
354 #endif /* NTDOMAIN */